Microsoft and Industry Partners Seize Key Domain Used In SolarWinds Hack

An anonymous reader quotes a report from ZDNet: Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter. The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app. SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com.

According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company's network. Earlier today, a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession. Sources familiar with today's actions described the takedown as "protective work" done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers.

Microsoft finally does something right

[dutt]

It's not everyday I take my hat off to Microsoft. At least they got this sinkhole right.

Re:

[bmimatt]

Microsoft's been in the 'seizing key domains' business recently it seems. I wonder how they appointed themselves to this coveted position.

Office 365 phishing pages, with logos (tm)

[raymorris]

In most of of the cases, the bad guys used the domains for fake O365 login pages, covered with Microsoft trademarks.

That is of course damaging to their Office 365 brand and is an unlawful use of their trademarks.

So far Microsoft seems to have done the right things when they get control of the domains.

Um, think about that for a second

[raymorris]

You're asking if formerly malicious domains now controlled by *Microsoft* are used to hack your OS?

Hmm, maybe. Let's think about that. If *Microsoft* wanted to change something in the OS, how could they possibly do that?

They'd need some method that wouldn't be blocked by the vendor of the OS. Wouldn't want whoever makes Windows to prevent *Microsoft* from making changes to the OS. Also, they'd need a method that wouldn't have any security professionals looking carefully at what's going on with any domai

Re:

[bmimatt]

Sure, subdomains of Microsoft's domains are easy to 'take control of' for them.
TFAsummary says: "...The domain in question is avsvmcloud[.]com..." which doesn't seem to have anything to do with Microsoft.
What I am really questioning here is the 'Microsoft and coalition of tech companies' part. Granted I only scanned through the summary as I can rarely be bothered to click through to the sources, but I see Microsoft attached to many recent articles about domain takeovers from $badGuys, and that looks stran

Re:

[raymorris]

Not subdomains of O365. FAKE O365 login pages are used routinely by the bad guys, to steal credentials.

Because the bad guys are pretending to be Microsof, using Microsoft's trademarks, that gives MS legal standing to do something about it.

Control of the CnC domains means they can shut down the malware. They can also track the number of infections, etc.

Re:

[Anonymous Coward]

What I am really questioning here is the 'Microsoft and coalition of tech companies' part.

The international courts can issue any orders the judges want to issue.
In all these cases they instruct the FBI to hand deliver orders to Verisign to reassign the domains ownership and NS glue records.

Microsoft happens to be a company quite friendly to the US federal government, and have worked with the FBI for some time.
They also happen to have the network infrastructure to handle being the destination for such traffic (Think Azure infrastructure)

Most of the big network names that come to my mind aren't ex

Re:

[Tokolosh]

Nothing in the article or links says that there was judicial involvement and due process.

Closing the barn door

[Ken_g6]

After the Cozy Bear got in, ate all the livestock, and escaped.

Re:

[awwshit]

Are you arguing that they should leave the door open?

Seems a PR move at best

[etudiant]

Given that this was a carefully built piece of malware, I'd be astonished if there was just a single command domain.
Unless MS and friends have parsed the entire code, one should assume that there are at least a couple of backups, so the effort is not lost by losing this C&C domain.

What has really happened?

[comodoro]

So the header (and the article) is saying something about seizing, while later it turns out that the domain was "sinkholed". I am not aware of this technique and would welcome an explanation of what really happened. Is the domain just being redirected in Microsoft`s & co DNS servers? And why is law enforcement mentioned in the article? And on what orders did all this happen? Does it mean that technical companies can, on a whim, "sinkhole" any domain they choose?

Weird search result

[MrL0G1C]

So I googled... how does SUNBURST infect
And I got results with the words IS, ARE, WILL, CAN all highlighted in the results as if I searched for those. And many of the results seem to be related to drugs and disease instead of computer viruses.

Anyone else get this and any theory as to why this just happened?

Re:

[drinkypoo]

Yes, I did, and also the word "what".

Very odd.

Re:

[account_deleted]

Comment removed based on user account deletion