Getty Images
FireEye and partners GoDaddy and Microsoft have deployed a so-called kill-switch against the SolarWinds Sunburst/Solarigate malware used by a state-backed actor to compromise multiple US government departments and FireEye, mitigating some of the potential impact of the wide-ranging attack.
The cyber attack saw the compromise of SolarWinds’ network and the insertion of code into its Orion network management platform, which was then distributed to about 18,000 customer organisations and used as a means for the attackers to compromise their victims.
In a statement initially circulated to KrebsonSecurity, which was first to report the release, FireEye said it had found that depending on the IP address returned when the malware calls out to its command and control (C2) infrastructure using the avsvvmcloud[.]com domain, it terminates itself and prevents further execution.
“This kill-switch will affect new and previous Sunburst infections by disabling Sunburst deployments that are still beaconing to avsvmcloud[.]com,” a FireEye spokesperson said in the statement.
By working together to seize this domain and creating a wildcard domain name system (DNS) resolution to force it to resolve to an IP address in its blocklist – in this case 20.140.0.1. – FireEye, GoDaddy and Microsoft have ensured Sunburst will cease to function.
The IP address in question is controlled by Microsoft, which is probably why the creators of Sunburst added it to their blocklist in order to better obfuscate their activity.
However, FireEye went on to point out that this was not necessarily a cure-all for Sunburst victims, because in the intrusions it has seen to date, the attackers quickly established further backdoors and persistence mechanisms.
“This kill-switch will not remove the actor from victim networks where they have established other backdoors,” said the firm’s spokesperson. “However, it will make it more difficult to for the actor to leverage the previously distributed versions of Sunburst.”
Meanwhile, questions continue to mount for SolarWinds as more intelligence trickles out around the attack. On Wednesday 16 December, researchers at Intel471 said they had seen Russian-language actors trying to sell access to SolarWinds up to three years ago, and claimed the seller had “allegedly attempted to work his way deeper into the SolarWinds network and eventually to the source code of its products”. This would tally with the method of the Sunburst attack.
The researchers said other actors have since claimed to have access to SolarWinds’ network, including one with links to the REvil/Sodinokibi ransomware gang, although this is not necessarily any indication of a link.
Eran Farajun, executive vice-president at data protection specialist Asigra, said he had been warning about the potential for attacks on remote monitoring and management (RMM) software – such as SolarWinds’ products – for some time.
“RMM was, and remains, a soft underbelly for attacks and backup software is integrated into the SolarWinds RMM platform Orion,” he said. “In the same ways that RMM was compromised and used as a proxy to traverse into the source network and machines and exfiltrate data, a threat actor can do it for profit with ransomware.
“The same happens with backup. Once you are in through the RMM, it is a hop, skip and a jump over into the integrated backup app. The best defensive strategy is to keep these important apps separate and protect them as one protects other vital production systems.”
Other reports in the US media have called into question the actions of people associated with SolarWinds in the run-up to the incident, after top investors were found to have sold millions of dollars’ worth of company stock shortly before the attack was disclosed. The company’s shares have lost over one-fifth of their value since then.
According to the Washington Post, the two investors linked to the suspicious trades are Silver Lake and Thoma Bravo, both high-profile private equity vehicles with massive investments in the tech industry. Between them, they hold 70% of SolarWinds and have six seats on its board, which would give them access to key insider information. Both investors have said they were not aware of the cyber attack, and SolarWinds has made no comment.
Given it is still unknown precisely when SolarWinds became aware of the attack, the timing of the trading activity will almost certainly spark a regulatory investigation by the Securities and Exchange Commission.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
As mergers and acquisitions go virtual due to COVID-19, the C-suite should include CISOs to help identify security risks, …
Antitrust forces expect the Biden administration to pursue federal antitrust litigation and lawmaking. But Biden and Vice …
Heading into 2021, IT leaders must take the reins of their organizations’ digital transformation efforts. Bestselling author …
Security researchers discovered the Orion DLL component containing the backdoor used was still present in updates on SolarWinds’ …
Remote worker data security has quickly evolved into a top concern for IT security. Here are six strategies to ensure remote …
While the scope of the breach is still unknown, the cyber attack on SolarWinds shows what can happen when sophisticated attackers…
Most enterprises have siloed departments, but SASE’s convergence of network and security functions could disrupt those constructs…
Say hello to software-defined home, a ‘branch of one’ package that combines professional-grade Wi-Fi, security, SD-WAN and …
IP addressing and subnetting are important and basic elements of networks. In this article, learn how to calculate a subnet mask …
UPSes are crucial components to any backup power system. Use power ratings, infrastructure voltage requirements and the UPS type …
The colocation market is poised for growth, alongside the higher-visibility cloud computing sector. Find out why with our data …
Even with structured pricing methods, there’s a lot to consider when making colocation infrastructure purchases. Account for …
See how data anonymization best practices can help your organization protect sensitive data and those who could be at risk if …
At AWS re:invent 2020 the public cloud giant unveiled enhancements to its database and analytics portfolio, including the …
Firebolt, a new challenger to established cloud data storage vendors including Microsoft and Google, launched recently after …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
