iTnews

FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

By Juha Saarinen on Dec 17, 2020 12:25PM
FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

Actor likely to remain in infected networks, however.

Security vendor FireEye, Microsoft and domain registrar GoDaddy have enabled a "killswitch" for the SUNBURST malware deployed by suspected Russian hackers in a global supply-chain attack.

FireEye's technical analysis of SUNBURST malware instances showed that they have a domain generation algorithm (DGA) to determine which command and control server the program should contact.

The DGA creates a host name that resolves to a subdomain of avsvmcloud.com. 

If the malware detects that the domain name system A record resolves to an RFC 1918 internet protocol address used for local area networks, or four other blocks of routable addresses, SUNBURST will terminate itself.

One of the IP address blocks that the malware checks is 20.140.0.0/15 which is assigned to Microsoft.

GoDaddy, FireEye and Microsoft have now configured the A record for avsvmcloud.com to resolve to 20.140.0.1, which causes the malware to deactivate itself and prevent further execution.

In a statement, FireEye cautioned that the killswitch will only disable SUNBURST deployments  that are connecting to avsvmcloud.com and not remove the attacker from victim networks.

FireEye said it has seen the intruder quickly establish additional persistent mechanisms to access victim networks, besides using the SUNBURST backdoor.

SUNBURST is a trojanised version of the Orion network management plug-in that was used to compromise some 18,000 customers for close to nine months by breaching a SolarWinds update server and dropping malicious software on it.

SolarWinds products are used by the United States and British governments, and the majority of US Fortune 500 companies.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
fireeyegodaddymalwaremicrosoftrussiasecuritysolarwindssunburst

Partner Content

Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Don't miss Australia’s premiere IoT Conference on 9th June
Promoted Content Don't miss Australia’s premiere IoT Conference on 9th June
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Dec 17 2020
12:25PM
0 Comments

Related Articles

  • Researchers detail SolarWinds code injection attack
  • FBI Cyclops Blink operation disinfected thousands of WatchGuard appliances
  • Misconfigured VPN behind destructive Viasat attack
  • Sandworm crafts malware to run on ASUS routers
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

Digital Nation

The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.