Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack. Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce. The domain in question is avsvmcloud[.]com, which served as a command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company’s Orion app. At the time of their release between March 2020 and June 2020, the SolarWinds Orion versions 2019.4 through 2020.2.1 contained a strain of malware named SUNBURST (also known as Solorigate).
Takedown to stop last-minute attempts to hack
The recent sinkholeing of avsvmcloud[.]com by a coalition of tech companies transferred the domain ownership to Microsoft. Sources familiar with today’s actions described the takedown as “protective work” done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers. Despite the SolarWinds breach becoming public on Sunday, the SUNBURST operators could still deploy additional malware payloads on the networks of companies that failed to update their Orion applications and still had the SUNBURST malware installed on their network. SolarWinds estimated on Monday that over 18,000 customers have installed the trojanized Orion app update, and most likely have the first-stage SUNBURST malware. Nonetheless, the hackers do not seem to have exploited all these systems and have only targeted a small number of carefully-planned intrusions into the networks of high-profile targets. The report was attributed to US security firm Symantec, which said that it discovered SUNBURST malware on the internal networks of 100 of its customers, although it did not observe any second-stage payloads or network escalation activity. According to Reuters, who confirmed the report with independent sources, many companies that installed the trojanized Orion app update did not find evidence of any further activity and escalation from the malware, confirming that hackers primarily targeted big-name companies.
Since Sunday, when the SolarWinds hack came to light, the number of confirmed victims has grown to include:
- US cybersecurity firm FireEye
- The US Treasury Department
- The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
- The Department of Health’s National Institutes of Health (NIH)
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The US Department of State
Sinkholing operations are underway to discover all victims.
Currently, the avsvmcloud[.]com domain redirects to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons from all the systems where the trojanized SolarWinds app has been installed.
The technique, known as sinkholing, is allowing Microsoft and its partners to compile an extensive list of infected victims, which they plan to use to notify all affected companies and government agencies.
“This is not the first time a domain associated with malware has been seized by international law enforcement and even by a provider,” ExtraHop CTO Jesse Rothstein told ZDNet in an email, referring to Microsoft’s previous takedown and sinkholing efforts against the Necurs and TrickBot botnets. Ongoing takedown and sinkholing efforts also involve the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, which is trying to pinpoint other US government agencies that may have been compromised. As SolarWinds has a large US government customer base, the government has declared the security crisis a national security emergency. On Thursday, the White House held a rare meeting of the US National Security Council to discuss the hack and its repercussions. Indicators of compromise and instructions on how to discover and deal with a SUNBURST malware infection are available from Microsoft, FireEye, and CISA.
Once installed, the malware would remain dormant in a computer for 12 to 14 days and then attempt to ping a subdomain of avsvmcloud[.]com. FireEye found that a C&C domain would issue a DNS reply that contains a CNAME field with information on another domain from which the SUNBURST malware can obtain additional instructions and execute additional payloads on an infected company’s network.