Cyber Security

FireEye, GoDaddy and Microsoft release SolarWinds kill-switch

0

Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was used in the recent SolarWinds supply chain attack.

Russia-linked hackers breached SolarWinds by using a trojanized SolarWinds Orion business software updates to distribute the backdoor dubbed as SUNBURST.

Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in order to identify all victims and prevent other systems from being served malicious software.

The domain avsvmcloud[.]com was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.

The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.

The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.

According to FireEye, if the C2 server resolved to an IP address in one of the following ranges, the backdoor would terminate and will never execute again:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

224.0.0.0/3

fc00:: – fe00::

fec0:: – ffc0::

ff00:: – ff00::

20.140.0.0/15

96.31.172.0/24

131.228.12.0/22

144.86.226.0/24

This information allowed FireEye and Microsoft to create a kill switch for the Sunburst backdoor, as first reported by the popular expert Brian Krebs.

FireEye said that depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. The security firm collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.

This kill switch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com.

This kill switch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST.

GoDaddy has created a wildcard DNS resolution that resolves any subdomain of avsvmcloud[.]com to 20.140.0.1, which is controlled by Microsoft. This IP address is included in the 20.140.0.0/15 range that causes the malware to permanently terminates.

According to experts, kill switch would only terminate the Sunburst infection, but other payloads dropped by the threat actors on the infected machine will likely continue to work.

Image Credits : Financial Times

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Three million users installed 28 malicious Chrome or Edge extensions

    Previous article

    Microsoft confirms breach in SolarWinds supply chain hack

    Next article

    You may also like

    Comments

    Leave a reply

    Your email address will not be published. Required fields are marked *