Threat Watch

Microsoft and industry partners seize key domain used in SolarWinds hack

After creating a sinkhole for the domain, Microsoft and a coalition of other companies have seized the domain avsvmcloud[.]com. This domain served as a Command & Control (C2) host for the attackers and delivered the SUNBURST backdoor to 18,000 SolarWinds customers. Because the malware sits dormant for 12-14 days before calling back to the C2, it may take more time to discover who is affected. This effort to sinkhole this domain is to find potentially exposed victims and gain a clearer picture of the overall problem.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Independent researchers and other organizations such as the RedDrip Team from QiAnXin Technology have decoded the unique subdomains to compile a list of known victims. As recommended previously, implement the newest hotpatch, bring the affected systems offline until incident response procedures are followed, and the problem’s scope can be taken into account.

References:
SunBurst_DGA_Decode Script: https://github.com/RedDrip7/SunBurst_DGA_Decode
Decoded Domains: https://pastebin.com/6NukuxBN
SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory
CISA Advisory: https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
DHS Directive:https://cyber.dhs.gov/ed/21-01/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support