Pierluigi Paganini December 16, 2020

Microsoft and its partners have seized the primary domain used in the SolarWinds attack to identify the victims through sinkholing.

Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in an attempt to identify all victims and prevent other systems from being served malicious software.

The domain avsvmcloud[.]com was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.

The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.

The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.

In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020. The vendor recommends users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.

The C&C domain communicates to the bot via DNS responses that contained a CNAME field with information on the domain that will provide further commands and payload to the SUNBURST backdoor.

Now security firms sinkholed the avsvmcloud[.]com domain that is now under the control of Microsoft.

Experts from Symantec confirmed that the presence of the SUNBURST backdoor on the internal networks of 100 of its customers.

“Symantec has identified more than 2,000 computers at over 100 customers that received Trojanized software updates but has not identified any further malicious impact on those machines.” reads the analysis published by Symantec.

After the seizure of avsvmcloud[.]com, the domain redirects to an IP address owned by Microsoft. All the infected machine that will attempt to contact the C2 will be tracked by Microsoft and its partners that will notify the impacted organizations.

The FBI and CISA are still investigating the supply chain attack along with security firms in the attempt to determine the extent of the attack.

US DHS CISA, Microsoft, and FireEye, have shared Indicators of Compromise for the SolarWinds attack.

Pierluigi Paganini

(SecurityAffairs – hacking, Supply chain attack)

[adrotate banner=”5″]

[adrotate banner=”13″]