Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Killswitch Found for Malware Used in SolarWinds Hack

A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers.

A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers.

FireEye, which disclosed the attack earlier this month after the threat actor managed to breach its systems and steal some Red Team tools, revealed that the attacker had compromised SolarWinds systems and used its access to deliver a piece of malware named SUNBURST.

The malware, which is configured to remain dormant for a certain period after installation, is capable of collecting information about the infected computer, downloading and executing code, creating and deleting files, reading and manipulating registry entries, and rebooting the system. In the case of targets that were of interest, the hackers also delivered a backdoor called Teardrop and a Cobalt Strike payload.

During its analysis of the malware, FireEye noticed that SUNBURST had been communicating with a domain named avsvmcloud[.]com. The cybersecurity firm worked with Microsoft and registrar GoDaddy to seize control of the domain.

“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution,” a FireEye spokesperson told SecurityWeek.

“This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST,” they added.

SolarWinds confirmed this week that malicious actors hacked the build system for its Orion monitoring product and delivered trojanized updates to customers between March and June 2020. The company believes up to 18,000 of its 300,000 customers may have received the malicious components. Following the breach, SolarWinds has removed from its website a page listing important customers.

The victims include several U.S. government organizations and, according to FireEye, many organizations in the government, technology, consulting, extractive and telecom sectors in North America, Europe, the Middle East and Asia.

Advertisement. Scroll to continue reading.

Symantec, which also analyzed the attack, said it had identified the trojanized software updates on over 2,000 computers at more than 100 customers.

The attacker has been described as a sophisticated threat actor that is likely backed by a nation state. Some reports said it was Russian hackers, specifically the group known as Cozy Bear and APT29, but the reports have yet to be confirmed and the Kremlin has denied the accusations.

Related: SolarWinds Removes Customer List From Site as It Releases Second Hotfix

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...