itsreallynick
commented
3 years ago In addition, please consider removing line 8 from: https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv#L8 and the contents of https://github.com/fireeye/sunburst_countermeasures/tree/main/rules/SUPERNOVA and https://github.com/fireeye/sunburst_countermeasures/tree/main/rules/COSMICGALE to reflect any removals in the all rules file I proposed the edit too.
Please consider removing this Yara rule from the repo to reduce on-going industry confusion. Based on my analysis, shared with FEYE pre-publication on 2020-12-10, this unsigned SolarWinds "plugin"/webshell DLL (SUPERNOVA) may be abused maliciously - but that post-exploitation activity and filewrites occur within inetpub in-the-wild and are more indicative of web-facing exploitation with artifacts more similar to CVE-2019-8917. One of the post-compromise scripts run is what is labeled as COSMICGALE.
As there is no tied to the software supply chain compromises, we are not currently tracking this as the same threat actor - and my understanding is that FireEye is also no longer tracking this as UNC2452. Since COSMICGALE and SUPERNOVA are not referenced in the blog with this delineation, it's probably better to remove for now (or add clarification if there's a linkage).
-YOUR BOY CARR