After creating a sinkhole for the domain, Microsoft and a coalition of other companies have seized the domain avsvmcloud[.]com. This domain served as a Command & Control (C2) host for the attackers and delivered the SUNBURST backdoor to 18,000 SolarWinds customers. Because the malware sits dormant for 12-14 days before calling back to the C2, it may take more time to discover who is affected. This effort to sinkhole this domain is to find potentially exposed victims and gain a clearer picture of the overall problem.
Analyst Notes
Independent researchers and other organizations such as the RedDrip Team from QiAnXin Technology have decoded the unique subdomains to compile a list of known victims. As recommended previously, implement the newest hotpatch, bring the affected systems offline until incident response procedures are followed, and the problem’s scope can be taken into account.
References:
SunBurst_DGA_Decode Script: https://github.com/RedDrip7/SunBurst_DGA_Decode
Decoded Domains: https://pastebin.com/6NukuxBN
SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory
CISA Advisory: https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
DHS Directive:https://cyber.dhs.gov/ed/21-01/