Lists of Companies Affected by the SolarWinds Hack has Published

Several information security companies have published lists of SolarWinds customers who have been affected by the hacking of the company  and the infection of the Orion platform with malware. The victims of hackers include tech companies, local governments, universities, hospitals, banks, telecom operators and many others.

Notable names include Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense. MediaTek, one of the world’s largest semiconductor manufacturers, is also believed to have been affected, although researchers are not yet 100% sure.

Let me remind you that the malware that spread using malicious versions of Orion (released between March and June 2020) was codenamed SUNBURST (aka Solorigate). According to reports from  Microsoft ,  FireEye ,  McAfee ,  Symantec , Kaspersky Lab and the US Department of Homeland Security’s Cybersecurity and Infrastructure Protection Agency ( DHS CISA ), the malware collected information about the victim’s network in infected systems, waited 12-14 days and then sent this data to the attackers’ remote server. If after that the malware operators recognized the company’s network as interesting, they developed the attack further and continued to collect information.

According to official figures, of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on 18,000 customers. Initially, it was believed that only SolarWinds specialists would be able to identify all the victims, but as other experts continued to study the work of SUNBURST, they discovered some peculiarities in the work of the malware. For example, related to how she pings her C&C server.

It turned out that SUNBURST was sending data collected on the infected network to the URL of its C&C server, unique for each victim. The unique URLs were subdomains of avsvmcloud [.] Com and consisted of four parts, the first of which was a seemingly random string. However, security researchers soon noticed that this string was not actually random, but contained the encoded domain name of the victim’s local network.

Let me remind you that, according to FireEye, despite the compromise of 18,000 SolarWinds customers, the hackers continued to attack only the networks of 50 companies . Microsoft experts, in turn, wrote that they were able to identify about 40 victims from among their customers.

The attack usually progressed when the avsvmcloud [.] Cxom control server responded to malware with a specific DNS response with a specific CNAME field. This special field contained the address of the second command and control server, from which SUNBURST could receive additional commands and sometimes download more malware.

At present, only one company is known for certain, which the hackers continued to hack – this is the information security company FireEye, whose reaction to the attack shed light on the compromise of SolarWinds in general.

Edition ZDNet reports that there are now many in the IB community work with content delivery networks, Internet service providers and other companies for the passive DNS data collection and tracking traffic avsvmcloud [.] Com. All this activity is aimed at identifying other victims, to whose networks cybercriminals could also gain in-depth access. Reporters cite a table compiled by the aforementioned company Truesec, which contains decoded internal domain names for some of the victims of the SolarWinds compromise. We quote this list below.