Security experts have seized control of a key malicious domain used to control the thousands of computers compromised by the SolarWinds hack and turned it into a backdoor switch.
Recall that last week, Texas-based software maker SolarWinds reported that cybercriminals compromised its servers and injected malware into updates for the Orion platform. As a result of the incident, the networks of organizations using this platform, including the information security company FireEye , the US Treasury Department , and the US Department of Homeland Security, were compromised .
As previously reported , Microsoft was able to seize control of the key GoDaddy domain (avsvmcloud [.] Com), which was used by hackers to communicate with compromised systems. Now FireEye has announced that the domain takeover is a joint effort between FireEye, GoDaddy and Microsoft.
“SUNBURST is malware that spread through SolarWinds software. During the analysis of SUNBURST, we found a kill switch that could prevent further SUNBURST operations, ”FireEye told reporter Brian Krebs.
According to the company, depending on the IP address returned after the malware resolves the avsvmcloud [.] Com domain, under certain conditions, the malware will destroy itself and will not run.
“This kill switch will affect new and previous SUNBURST infections by deactivating SUNBURST deployments that are still signaled by avsvmcloud [.] Com. However, in the infiltrations observed by FireEye, the attacker moves quickly and sets up additional persistence mechanisms to access victim networks outside of the SUNBURST backdoor. Killswitch will not remove an attacker from victim networks where he has installed additional backdoors. However, it will make it harder for an attacker to use previously deployed versions of SUNBURST, ”FireEye said.
Given the data and control over the malicious domain at Microsoft, FireEye, and GoDaddy, it can be assumed that they have an idea of which organizations are still vulnerable to SUNBURST.