• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Hacking
  • Security
  • Microsoft partnered with security firms to sinkhole the C2 used in SolarWinds hack

Microsoft partnered with security firms to sinkhole the C2 used in SolarWinds hack

Pierluigi Paganini December 16, 2020

Microsoft and its partners have seized the primary domain used in the SolarWinds attack to identify the victims through sinkholing.

Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in an attempt to identify all victims and prevent other systems from being served malicious software.

here is list of DGA subdomain c2: avsvmcloud[.]com #SolarWinds #backdoor
c2 domain list: https://t.co/wlpvIKSzx2 pic.twitter.com/NufyhDB5Zj

— R. (@0xrb) December 16, 2020

The domain avsvmcloud[.]com was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.

The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.

The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.

In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020. The vendor recommends users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.

The C&C domain communicates to the bot via DNS responses that contained a CNAME field with information on the domain that will provide further commands and payload to the SUNBURST backdoor.

Now security firms sinkholed the avsvmcloud[.]com domain that is now under the control of Microsoft.

Experts from Symantec confirmed that the presence of the SUNBURST backdoor on the internal networks of 100 of its customers.

“Symantec has identified more than 2,000 computers at over 100 customers that received Trojanized software updates but has not identified any further malicious impact on those machines.” reads the analysis published by Symantec.

After the seizure of avsvmcloud[.]com, the domain redirects to an IP address owned by Microsoft. All the infected machine that will attempt to contact the C2 will be tracked by Microsoft and its partners that will notify the impacted organizations.

The FBI and CISA are still investigating the supply chain attack along with security firms in the attempt to determine the extent of the attack.

US DHS CISA, Microsoft, and FireEye, have shared Indicators of Compromise for the SolarWinds attack.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Supply chain attack)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT FBI FireEye Hacking information security news IT Information Security malware Microsoft Pierluigi Paganini Security Affairs Security News SolarWinds

you might also like

Pierluigi Paganini July 29, 2025
Seychelles Commercial Bank Reported Cybersecurity Incident
Read more
Pierluigi Paganini July 29, 2025
Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Seychelles Commercial Bank Reported Cybersecurity Incident

    Data Breach / July 29, 2025

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT