The recently reported supply chain attack on the SolarWinds Orion platform has grabbed the attention of many eyeballs because the Orion IT management platform is used by several U.S. government agencies like the Dept. of Treasury, Dept. of Commerce, and Dept. of Homeland Security. Apart from the public sector clientele, SolarWinds Orion is also extensively used by companies in the private domain, including Boeing and Los Alamos National Laboratory. Thus, the extent of damage caused by the attack can only be estimated till the final assessment reports come in.
However, to stop further spread of the nefarious Sunburst malware and to provide interim relief to SolarWinds’ clients, a group of tech firms — Microsoft, FireEye, and GoDaddy — collectively devised a “Killswitch” to take control of one of the domains that attackers used for transmitting the malicious code into victims’ systems.
FireEye says it has figured out a way to send shutdown commands to the suspected Russian malware installed through the infected SolarWinds update — but it warns that if hackers have already started exploiting a target network, they’ve likely set up other ways to stay there. pic.twitter.com/BTAgbtqd3g
— Eric Geller (@ericgeller) December 16, 2020
Sunburst Malware Killswitch
FireEye, in its report, stated that the hacked networks were seen communicating with a malicious domain name, avsvmcloud[.]com, which is one of the many domains that attackers had set up to control and communicate with the affected systems. Thus, gaining control over this domain would at least provide relief to SolarWinds by preventing further spread. For this, researchers from Microsoft and FireEye shook hands, and with the help of domain registrar company, GoDaddy, devised a “killswitch” to take over the malicious domain.
The story was first reported by investigative journalist Brian Krebs, who stated, “There were signs over the past few days that control over the domain had been transferred to Microsoft.” FireEye, in its statement, accepted applying a killswitch to the domain and has additionally reconfigured it so that the Sunburst malware does not operate under certain conditions.
Shedding more light on the Killswitch application, a FireEye spokesperson said,
Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.
This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST.
Since the trio of the tech companies now has control over the malicious domain, it could very well mean that more names of SolarWinds’ affected clients will be revealed.