To Our Customers, Prospects, Partners, and the Cybersecurity Community:
Update: on Sunday, Dec 13, it was reported that SolarWinds was the subject of a sophisticated supply chain attack targeting SolarWinds Orion Platform software, their enterprise IT monitoring solution. According to public and private sources, this supply chain attack is linked to FireEye and other US federal entities being targeted.
In the released IOCs associated with both the FireEye and SolarWinds breaches, SentinelOne customers are protected. In the SolarWinds attack, dubbed “SUNBURST,” SentinelLabs research has confirmed that devices with SentinelOne agents deployed are specifically exempt from the malicious payload used in the reported IOCs. As presented in the SolarWinds attack, SUNBURST does not trigger malicious activities on devices protected with SentinelOne.
Following the SolarWinds supply chain attack:
- SentinelOne’s Singularity Cloud blocks all reported IOCs
- All SentinelOne customers have access to a new hunting pack which includes custom Deep Visibility hunting queries for the latest SUNBURST and FireEye breach IOCs
Our recommendation to customers and the community-at-large is to follow SolarWinds’ security advisory instructions. In addition, please incorporate best practice countermeasures including:
- Resetting all credentials used by or stored in SolarWinds software
- Resetting service account passwords if service accounts were used with SolarWinds software
- Referencing FireEye’s SUNBURST countermeasures
The SentinelOne team stands ready to assist in these times of uncertainty. Ensuring you’re informed and protected is key to staying secure. Our experts are available to speak on these events and your cybersecurity readiness by contacting us here.
It’s not every day we see a fellow cybersecurity company, especially one with a significant presence serving the federal government, as the subject of a breach. On December 8, FireEye disclosed a sophisticated attack which led to the “unauthorized access of their red team tools.” The statement went on to say the company does not know whether the attacker intends to use the stolen tools themselves or publicly disclose them.
We are sad to hear the news; all cybersecurity vendors at some level share a unified purpose of making the world a more secure place. Our thoughts are with our colleagues at FireEye and with their customers. SentinelOne’s commitment to keep customers protected remains unwavering. We innovate to raise the cybersecurity bar to defend our digital way of life.
In this blog, we update on the actions SentinelOne has taken across our SentinelLabs security research team, Vigilance MDR team, and product team in response to the FireEye breach. Our platform is able to detect the known malware samples associated with the FireEye breach.
Detection is Foundational to Visibility & Protection
We continue to monitor and hunt for relevant IOCs and artifacts related to the breach. We can also confirm that all assets that are seen so far in the wild are detected by the SentinelOne agents, with no upgrade needed. If there are parts of your network that are not protected with SentinelOne, we encourage you to close that gap, even if you need to exceed the number of licenses you have at the moment. We recommend the use of our Rogue system detection to identify the systems that should have an agent deployed. Below this blog, please find a list of hashes based on FireEye’s reporting and our own research that we confirm are covered.
Hunting Pack Released for Every SentinelOne Customer
We’ve already released a bespoke and ready-to-use hunting pack in every customer’s SentinelOne console for retrospective hunting missions. SentinelOne’s industry-leading data retention periods enable lengthy lookbacks for thorough investigations. This customized hunting package enables our customers to know if any of the artifacts related to this breach exist – or have existed – within your enterprise.
We’re Here to Help
SentinelOne is committed to doing the right thing – and we stand by ready to help at no cost. Here are several actionable steps our team suggests:
- SentinelOne Customers: if you’re a Core, Control, or Complete customer and desire custom hunting assistance, our Vigilance MDR team and our Customer Success organizations stand ready to assist. If you need additional agents, we’re ready to assist with rapid deployment. Our 24/7/365 team is ready to help via phone or console.
- Non-SentinelOne Customers: if you need assistance conducting a risk assessment as it relates to the FireEye breach or securing unprotected devices, SentinelOne is ready. We can deploy in minutes without business interruption or restarts. Our team of experts can help quickly determine if any traces of the FireEye breach are in your environment for compliance and executive briefing purposes.
We’re here to help. We’re here to protect. We’re in this together.
Latest FireEye Indicators of Compromise (IOCs)