Microsoft and a coalition of tech companies stepped in today to capture and sink a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the case.
The domain in question is avsvmcloud[.]com, which served as a command and control (C&C) server for malware delivered to approximately 18,000 SolarWinds customers via a trojanized update to the company’s Orion app.
SolarWinds Orion updates versions 2019.4 to 2020.2.1, released between March 2020 and June 2020, contain a type of malware called SUNBURST (also known as Solorigate).
Once installed on a computer, the malware would remain inactive for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com.
According to an analysis by security company FireEye, the C&C domain would reply with a DNS response containing a CNAME field with information about another domain from which the SUNBURST malware would get further instructions and additional payloads to execute on it. network of an infected company.
Takedown to avoid tricky hacks
Earlier today, a coalition of tech companies seized and sunk avsvmcloud[.]com, putting the domain in Microsoft’s possession.
Sources familiar with today’s actions describe the removal as “protective work” to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers.
Even if the SolarWinds hack went public on Sunday, the SUNBURST operators still had the option to deploy additional malware payloads on the networks of companies that were unable to update their Orion apps and the SUNBURST malware still on their networks installed.
In SEC documents filed Monday, SolarWinds estimated that at least 18,000 customers have installed the trojanized Orion app update and most likely have phase 1 SUNBURST malware on their internal networks.
However, the hackers don’t seem to have taken advantage of all of these systems and have only carried out a handful of carefully orchestrated intrusions into the networks of high-profile targets.
This was confirmed Monday in a report by US security firm Symantec, which said it had discovered the SUNBURST malware on 100 of its customers’ internal networks, but saw no evidence of second-stage payloads or network escalation.
Likewise, Reuters also reported on Monday, confirmed by independent sources ZDNet, that many companies that installed the trojanized Orion app update found no evidence of additional activity and escalation on internal networks, confirming that hackers were only chasing high-profile targets.
Since Sunday, when the SolarWinds hack came to light, the number of confirmed victims has grown to:
- American cybersecurity company FireEye
- The United States Treasury Department
- The National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce
- The National Institutes of Health (NIH) of the Department of Health
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The United States Department of State
Attempts are underway to discover all victims
Currently the avsvmcloud[.]com domain is redirected to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons from all systems on which the SolarWinds trojanized app is installed.
This technique, known as sinkholing, allows Microsoft and its partners to compile a list of all infected victims, which the organizations plan to use to notify all affected businesses and government agencies.
“This is not the first time that a domain related to malware has been seized by international law enforcement officers and even a provider,” ExtraHop CTO Jesse Rothstein told ZDNet in an email, referring to Microsoft’s previous removal and sinking efforts. against the Necurs and TrickBot botnets. .
Current takedown and sinkholing efforts also include representatives from the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, who are on the lookout for other US government agencies that may have been compromised.
Due to SolarWinds ‘extensive customer base of the U.S. government, government officials are treating SolarWinds’ compromise as a national security emergency. A day before the SolarWinds breach went public, the White House held a rare meeting of the US National Security Council to discuss the hack and its consequences.
Indicators of compromise and instructions for discovering and dealing with a SUNBURST malware infection are available from Microsoft, FireEye and CISA.