This killswitch will not remove the actor from victim networks where they have established other backdoors. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. “This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloudcom.
FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.” “Depending on the IP address returned when the malware resolves avsvmcloudcom, under certain conditions, the malware would terminate itself and prevent further execution. “As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.”
“SUNBURST is the malware that was distributed through SolarWinds software,” FireEye said in a statement shared with KrebsOnSecurity. What’s more, the company said the domain was reconfigured to act as a “killswitch” that would prevent the malware from continuing to operate in some circumstances.
Solarwinds definition update#
Today, FireEye responded that the domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers. Asked about the changeover, Microsoft referred questions to FireEye and to GoDaddy, the current domain name registrar for the malicious site. FireEye said hacked networks were seen communicating with a malicious domain name - avsvmcloudcom - one of several domains the attackers had set up to control affected systems.Īs first reported here on Tuesday, there were signs over the past few days that control over the domain had been transferred to Microsoft. 13, cyber incident response firm FireEye published a detailed writeup on the malware infrastructure used in the SolarWinds compromise, presenting evidence that the Orion software was first compromised back in March 2020. federal agencies and Fortune 500 firms use(d) Orion to monitor the health of their IT networks.
Solarwinds definition code#
A key malicious domain name used to control potentially thousands of computer systems compromised via the months-long breach at network monitoring software vendor SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself, KrebsOnSecurity has learned.Īustin, Texas-based SolarWinds disclosed this week that a compromise of its software update servers earlier this year may have resulted in malicious code being pushed to nearly 18,000 customers of its Orion platform.
0 kommentar(er)
