Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Microsoft The Internet

Microsoft and Industry Partners Seize Key Domain Used In SolarWinds Hack (zdnet.com) 18

An anonymous reader quotes a report from ZDNet: Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter. The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app. SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com.

According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company's network. Earlier today, a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession. Sources familiar with today's actions described the takedown as "protective work" done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers.

This discussion has been archived. No new comments can be posted.

Microsoft and Industry Partners Seize Key Domain Used In SolarWinds Hack

Comments Filter:
  • by dutt ( 738848 ) on Tuesday December 15, 2020 @05:57PM (#60835298) Homepage

    It's not everyday I take my hat off to Microsoft. At least they got this sinkhole right.

    • Microsoft's been in the 'seizing key domains' business recently it seems. I wonder how they appointed themselves to this coveted position.

      • by raymorris ( 2726007 ) on Tuesday December 15, 2020 @06:43PM (#60835474) Journal

        In most of of the cases, the bad guys used the domains for fake O365 login pages, covered with Microsoft trademarks.

        That is of course damaging to their Office 365 brand and is an unlawful use of their trademarks.

        So far Microsoft seems to have done the right things when they get control of the domains.

        • Sure, subdomains of Microsoft's domains are easy to 'take control of' for them.
          TFAsummary says: "...The domain in question is avsvmcloud[.]com..." which doesn't seem to have anything to do with Microsoft.
          What I am really questioning here is the 'Microsoft and coalition of tech companies' part. Granted I only scanned through the summary as I can rarely be bothered to click through to the sources, but I see Microsoft attached to many recent articles about domain takeovers from $badGuys, and that looks stran

          • Not subdomains of O365. FAKE O365 login pages are used routinely by the bad guys, to steal credentials.

            Because the bad guys are pretending to be Microsof, using Microsoft's trademarks, that gives MS legal standing to do something about it.

            Control of the CnC domains means they can shut down the malware. They can also track the number of infections, etc.

          • by Anonymous Coward

            What I am really questioning here is the 'Microsoft and coalition of tech companies' part.

            The international courts can issue any orders the judges want to issue.
            In all these cases they instruct the FBI to hand deliver orders to Verisign to reassign the domains ownership and NS glue records.

            Microsoft happens to be a company quite friendly to the US federal government, and have worked with the FBI for some time.
            They also happen to have the network infrastructure to handle being the destination for such traffic (Think Azure infrastructure)

            Most of the big network names that come to my mind aren't ex

  • After the Cozy Bear got in, ate all the livestock, and escaped.

  • by etudiant ( 45264 ) on Tuesday December 15, 2020 @06:57PM (#60835508)

    Given that this was a carefully built piece of malware, I'd be astonished if there was just a single command domain.
    Unless MS and friends have parsed the entire code, one should assume that there are at least a couple of backups, so the effort is not lost by losing this C&C domain.

  • So the header (and the article) is saying something about seizing, while later it turns out that the domain was "sinkholed". I am not aware of this technique and would welcome an explanation of what really happened. Is the domain just being redirected in Microsoft`s & co DNS servers? And why is law enforcement mentioned in the article? And on what orders did all this happen? Does it mean that technical companies can, on a whim, "sinkhole" any domain they choose?
  • So I googled... how does SUNBURST infect
    And I got results with the words IS, ARE, WILL, CAN all highlighted in the results as if I searched for those. And many of the results seem to be related to drugs and disease instead of computer viruses.

    Anyone else get this and any theory as to why this just happened?

  • Comment removed based on user account deletion

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...