FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

By
Follow google news

Actor likely to remain in infected networks, however.

Security vendor FireEye, Microsoft and domain registrar GoDaddy have enabled a "killswitch" for the SUNBURST malware deployed by suspected Russian hackers in a global supply-chain attack.

FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

FireEye's technical analysis of SUNBURST malware instances showed that they have a domain generation algorithm (DGA) to determine which command and control server the program should contact.

The DGA creates a host name that resolves to a subdomain of avsvmcloud.com. 

If the malware detects that the domain name system A record resolves to an RFC 1918 internet protocol address used for local area networks, or four other blocks of routable addresses, SUNBURST will terminate itself.

One of the IP address blocks that the malware checks is 20.140.0.0/15 which is assigned to Microsoft.

GoDaddy, FireEye and Microsoft have now configured the A record for avsvmcloud.com to resolve to 20.140.0.1, which causes the malware to deactivate itself and prevent further execution.

In a statement, FireEye cautioned that the killswitch will only disable SUNBURST deployments  that are connecting to avsvmcloud.com and not remove the attacker from victim networks.

FireEye said it has seen the intruder quickly establish additional persistent mechanisms to access victim networks, besides using the SUNBURST backdoor.

SUNBURST is a trojanised version of the Orion network management plug-in that was used to compromise some 18,000 customers for close to nine months by breaching a SolarWinds update server and dropping malicious software on it.

SolarWinds products are used by the United States and British governments, and the majority of US Fortune 500 companies.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

Age verification IDs taken in Discord data breach

Age verification IDs taken in Discord data breach

Microsoft to kill local account workarounds in Windows 11 preview builds

Microsoft to kill local account workarounds in Windows 11 preview builds

Qantas says customer data released by cyber criminals

Qantas says customer data released by cyber criminals

Log In

  |  Forgot your password?