Malicious Domain Changed to ‘KillSwitch’ in SolarWinds – Krebs on Security


An important malicious domain name used to control potentially thousands of computer systems through months of breach of network monitoring software vendor Orion It was ordered by security experts and used as a “kiloswitch” designed to trigger a cybercrime operation spreading against itself, KrebsOnCity has learned.

Austin, Texas-based SolarWinds revealed this week that an agreement with its software update server earlier this year could result in the malicious code being pushed to about 18,000 of its customers. Orion Forum. Many US federal agencies and Fortune 500 companies use (D) Orion to monitor the health of their IT networks.

On December 13, cyber incident response firm FireEye SolarWinds published a detailed writeup on the malware infrastructure used in the compromise, presenting evidence that the Orion software was first compromised back in March 2020. FireEye stated that the hacked network was seen communicating with a malicious domain name – avsvmcloud[.]com – Many domains were created by the attackers to control the affected domains.

As previously reported here on Tuesday, there were indications for the past few days that control over the domain had been transferred. Microsoft. When asked about the change, Microsoft referred questions to FireEye and to go DaddyCurrent domain name registrar for malicious sites.

Today, FireEye responded that the domain confiscation was part of a collaborative effort to prevent networks that might be affected by compromised SolarWinds software updates from communicating with attackers. What’s more, the company said that the domain was rejoined to act as a “kiloswitch” that would prevent malware from working under certain circumstances.

“Sunburst is malware that was distributed through the Solar Winds software,” Firebai said in a statement shared with KrebsOnCity. “As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from operating.”

The statement goes on:

“When malware fixes AVScloud, it depends on the IP address[.]Com will, under certain conditions, terminate the malware itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate the SUNBURST infection. “

“This killing will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still smiling for Eavescloud[.]com. However, as FireEye noticed in the intrusion, this actor SUNBURST went quickly to establish additional persistent mechanisms to access the victim network beyond the backdoor.

This will not remove the KillSwitch actor from the victim network where he has installed other backdoor. However, it will become more difficult for the actor to take advantage of previously distributed versions of SUNBURST. “

It is likely that given its visibility on malicious domains, Microsoft, FireEye, GoDaddy and others are now a good idea for companies that may still be struggling with the SUNBURST transition.

The revelations of the killers as security researchers said they wanted SUNBURST progressed in decoding interrupted communication methods. Chinese Cyber ​​Security Firm Reddrip team While publishing its findings on Github, its decoder tool identified nearly a hundred suspected victims of SolarWinds / Orion breeches, including universities, governments and high-tech companies.

Meanwhile, a potential legal downfall for SolarWinds continues in the wake of this breach. The washington post On Tuesday, it was reported that top investors in SolarWinds sold millions of dollars of stock in the days before the intrusion was revealed. SolarWinds stock price has fallen by more than 20 percent in the last few days. The Post cited former enforcement officials US Securities and Exchange Commission (SEC) states that the sale is likely to lead to an insider trading investigation.

Tags: FireEye, GoDaddy, microsoft, Orion, RedDrip Team, SolarWinds Breach, SUNBRST

Leave a Reply

Your email address will not be published.