Updated: Dec 28, 2022
Welcome back, my aspiring cyberwarriors!
In recent weeks I'm certain you have heard about the SolarWinds/Sunburst hack. Just to review, Russian state-sponsored actors hacked into the SolarWinds update server and installed malware into the software updates. As a result, everyone who received the March 2020 update, now has a Russian backdoor on their system. This includes nearly every US government department and many major corporations.
The concept of using a software update for installing malware is not new. When the US hacked the Iranian uranium enrichment facility in 2010 with Stuxnet, they used software updates to install the malware. For more on using software updates for installing malware, check out my tutorial on EvilGrade here.
Now that many of us are addressing this Russian backdoor on our networks, we probably want to at least be able to detect it. Snort is an IDS for detecting and alerting on suspicious activity on your network. Let's use it to detect whether you have a Russian backdoor from the SolarWinds hack on your network.
Step #1: Install Snort on Your System
If you don't already have Snort installed on your network, you can download it from nearly any of the Linux repositories. In addition, you can download it directly from Snort here. If you are installing snort for the first time, follow my tutorial here.
Step #2 Open the Snort Rules File
Next, we need to open the Snort rules file. You can find it at etc/snort/rules/community.rules. You can use any test editor.
Step #3: Copy this Rule to Your Rules File
With you community rules file open, copy the following rule into this file.
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.Sunburst"; content:"deftsecurity.com"; sid:77600853; rev:1;)
Now, save your community.rules file and close your text editor.
Step #4: Re-Start Snort
Finally, restart snort and your rule will be activated and looking for activity of this Russian backdoor on your system!
The SolarWinds hack is among the most dangerous hacks in history! If you suspect you might be a victim of this compromise, you can use Snort to detect the backdoor.