Malicious domain in SolarWinds hack turned to ‘Killswitch’ – Krebs on security

A major malicious domain name used to monitor potentially thousands of computer systems compromised by months-long breach at the network surveillance software vendor SolarWinds spearheaded by security experts and used as a “kill switch” designed to turn the extensive cybercrime operation against itself, KrebsOnSecurity learned.

Austin, Texas-based SolarWinds announced this week that a compromise of its software update servers earlier this year could have resulted in malicious code being sent to nearly 18,000 of its customers. Orion platform. Many US federal agencies and Fortune 500 companies use (d) Orion to monitor the health of their IT networks.

On December 13, a cyber incident reported a response company FireEye published a detailed article on the malware infrastructure used in the SolarWinds compromise, with evidence that the Orion software was first compromised in March 2020. FireEye said hacked networks communicated using a malicious domain name – avsvmcloud[.]com – one of several domains set by the attackers to control the affected systems.

As first reported here Tuesday, there have been signs in recent days that control of the domain had been turned over to Microsoft. When asked about the switch, Microsoft referred questions to FireEye and to GoDaddy, the current domain name registrar for the malicious site.

Today FireEye replied that the domain seizure was part of a concerted effort to prevent networks potentially affected by the compromised SolarWinds software update from communicating with the attackers. In addition, the company said the domain had been reconfigured to act as a ‘kill switch’ that would prevent the malware from continuing to work in certain circumstances.

“SUNBURST is the malware that was distributed through SolarWinds software,” FireEye said in a statement shared with KrebsOnSecurity. “As part of FireEye’s analysis of SUNBURST, we identified a kill switch that would prevent SUNBURST from continuing to operate.”

The statement continues:

Depends on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye worked with GoDaddy and Microsoft to deactivate SUNBURST infections. “

“This kill switch will affect new and previous SUNBURST infections by disabling SUNBURST implementations that are still beaconing to avsvmcloud[.]com. However, in the break-ins that FireEye has seen, this actor has quickly moved on to establish additional persistent mechanisms to access victim networks outside the SUNBURST backdoor.

This kill switch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to use the previously distributed versions of SUNBURST. “

It is likely that given their visibility and control over the malicious domain, Microsoft, FireEye, GoDaddy, and others now have a good idea which companies may still be struggling with SUNBURST infections.

The kill switch revelations came as security researchers said they would made progress in decoding SUNBURST’s obfuscated communication methods. Chinese cybersecurity company RedDrip team published their findings on Github, saying the decoder tool had identified nearly a hundred suspected victims of the SolarWinds / Orion breach, including universities, governments and high-tech companies.

Meanwhile, the potential legal ramifications for SolarWinds in the wake of this breach continue to get worse. The Washington Post reported Tuesday that top SolarWinds investors sold millions of dollars worth of shares in the days before the breach was revealed. SolarWinds’ stock price has fallen more than 20 percent in recent days. The Post quoted former enforcement officials at the United States Securities and Exchange Commission (SEC) said the sales would likely give rise to an insider trading investigation.

Tags: FireEye, GoDaddy, Microsoft, Orion, RedDrip Team, SolarWinds Breach, SUNBURST

This entry was posted on Wednesday, December 16, 2020 at 13:37 PM and is filed under Data breaches. You can follow any responses to this entry through the RSS 2.0 feed. You can jump to the end and leave a comment. Pinging is currently not allowed.