CISA Launches Tool to Detect Post-Threat Compromise Activity Tied to SolarWinds Hack

The Cybersecurity and Infrastructure Security Agency has introduced a new tool to detect post-threat compromise activity from the SolarWinds incident. 

CISA’s Aviary dashboard goes hand in hand with Sparrow, a threat detection tool that the agency released in December to help network defenders find Azure/Microsoft O365 accounts that may have been compromised by the SolarWinds hack.

With Aviary, users can visualize and analyze data outputs generated by Sparrow, Health IT Security reported.

CISA encourages potential Aviary users to review its “Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments” alert, which addresses malicious activity attributable to an advanced persistent threat actor.

Vulnerabilities tied to the SolarWinds Orion platform were first disclosed in December.

The threat actors behind the SolarWinds hack were able to gain access to multiple public, private and government sector entities by exploiting trojanized updates to the Orion software.

According to the White House, approximately 100 organizations and nine federal agencies were affected by the attack.

The release of the Aviary dashboard comes weeks after CISA unveiled an on-premise threat detection tool to facilitate remediation efforts related to the SolarWinds incident.

The CISA Hunt and Incident Response Program tool is built to find indicators of compromise linked to the exploitation of vulnerabilities in SolarWinds Orion products and threat activity in Microsoft Cloud environments.

CHIRP has plugins to search through event logs and registry keys. It can also look for signs of advanced persistent threat tactics, techniques and procedures.

Users of the new tool are encouraged to look into Windows registry event logs for IOCs tied to SolarWinds activity and to apply YARA rules to detect backdoors, malware or implants.