Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was used in the recent SolarWinds supply chain attack.
Russia-linked hackers breached SolarWinds by using a trojanized SolarWinds Orion business software updates to distribute the backdoor dubbed as SUNBURST.
Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in order to identify all victims and prevent other systems from being served malicious software.
The domain avsvmcloud[.]com was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.
The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.
The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.
According to FireEye, if the C2 server resolved to an IP address in one of the following ranges, the backdoor would terminate and will never execute again:
fc00:: – fe00::
fec0:: – ffc0::
ff00:: – ff00::
This information allowed FireEye and Microsoft to create a kill switch for the Sunburst backdoor, as first reported by the popular expert Brian Krebs.
FireEye said that depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. The security firm collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
This kill switch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com.
This kill switch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST.
GoDaddy has created a wildcard DNS resolution that resolves any subdomain of avsvmcloud[.]com to 188.8.131.52, which is controlled by Microsoft. This IP address is included in the 184.108.40.206/15 range that causes the malware to permanently terminates.
According to experts, kill switch would only terminate the Sunburst infection, but other payloads dropped by the threat actors on the infected machine will likely continue to work.
Image Credits : Financial Times