Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Killswitch Found for Malware Used in SolarWinds Hack

A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers.

A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers.

FireEye, which disclosed the attack earlier this month after the threat actor managed to breach its systems and steal some Red Team tools, revealed that the attacker had compromised SolarWinds systems and used its access to deliver a piece of malware named SUNBURST.

The malware, which is configured to remain dormant for a certain period after installation, is capable of collecting information about the infected computer, downloading and executing code, creating and deleting files, reading and manipulating registry entries, and rebooting the system. In the case of targets that were of interest, the hackers also delivered a backdoor called Teardrop and a Cobalt Strike payload.

During its analysis of the malware, FireEye noticed that SUNBURST had been communicating with a domain named avsvmcloud[.]com. The cybersecurity firm worked with Microsoft and registrar GoDaddy to seize control of the domain.

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution,” a FireEye spokesperson told SecurityWeek.

“This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST,” they added.

Advertisement. Scroll to continue reading.

SolarWinds confirmed this week that malicious actors hacked the build system for its Orion monitoring product and delivered trojanized updates to customers between March and June 2020. The company believes up to 18,000 of its 300,000 customers may have received the malicious components. Following the breach, SolarWinds has removed from its website a page listing important customers.

The victims include several U.S. government organizations and, according to FireEye, many organizations in the government, technology, consulting, extractive and telecom sectors in North America, Europe, the Middle East and Asia.

Symantec, which also analyzed the attack, said it had identified the trojanized software updates on over 2,000 computers at more than 100 customers.

The attacker has been described as a sophisticated threat actor that is likely backed by a nation state. Some reports said it was Russian hackers, specifically the group known as Cozy Bear and APT29, but the reports have yet to be confirmed and the Kremlin has denied the accusations.

Related: SolarWinds Removes Customer List From Site as It Releases Second Hotfix

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.