The cyber attack saw the compromise of SolarWinds’ network and the insertion of code into its Orion network management platform, which was then distributed to about 18,000 customer organisations and used as a means for the attackers to compromise their victims.
Which was first to report the release, FireEye said it had found that depending on the IP address returned when the malware calls out to its command and control (C2) infrastructure using the avsvvmcloud[.]com domain, it terminates itself and prevents further execution.
“This kill-switch will affect new and previous Sunburst infections by disabling Sunburst deployments that are still beaconing to avsvmcloud[.]com,” a FireEye spokesperson said in the statement.
The IP address in question is controlled by Microsoft, which is probably why the creators of Sunburst added it to their blocklist in order to better obfuscate their activity.
However, FireEye went on to point out that this was not necessarily a cure-all for Sunburst victims, because in the System intrusions it has seen to date, the attackers quickly established further backdoors and persistence mechanisms.
“This kill-switch will not remove the actor from victim networks where they have established other backdoors,” said the firm’s spokesperson. “However, it will make it more difficult to for the actor to leverage the previously distributed versions of Sunburst.”
Meanwhile, questions continue to mount for SolarWinds as more intelligence trickles out around the attack. On Wednesday 16 December, said they had seen Russian-language actors trying to sell access to SolarWinds up to three years ago, and claimed the seller had “allegedly attempted to work his way deeper into the SolarWinds network and eventually to the source code of its products”.
Eran Farajun, executive vice-president at data protection specialist, said he had been warning about the potential for attacks on remote monitoring and management (RMM) software – such as SolarWinds’ products – for some time.
“RMM was, and remains, a soft underbelly for attacks and backup software is integrated into the SolarWinds RMM platform Orion,” he said. “In the same ways that RMM was compromised and used as a proxy to traverse into the source network and machines and exfiltrate data, a threat actor can do it for profit with ransomware.
Read More – https://fancyhints.com/