Home News Microsoft and FireEye Create a “Killswitch” for Sunburst Malware Affecting SolarWinds’ Orion

Microsoft and FireEye Create a “Killswitch” for Sunburst Malware Affecting SolarWinds’ Orion

A collaborative effort between Microsoft, FireEye, and GoDaddy, has created a “killswitch” for Sunburst malware which has reportedly infected SolarWinds’ Orion platform through its auto-update functionality.

Sunburst killswitch, Sunburst malware kill switch, Sunburst malware detection, sunburst malware fix, sunburst malware, fix for sunburst malware

The recently reported supply chain attack on the SolarWinds Orion platform has grabbed the attention of many eyeballs because the Orion IT management platform is used by several U.S. government agencies like the Dept. of Treasury, Dept. of Commerce, and Dept. of Homeland Security. Apart from the public sector clientele, SolarWinds Orion is also extensively used by companies in the private domain, including Boeing and Los Alamos National Laboratory. Thus, the extent of damage caused by the attack can only be estimated till the final assessment reports come in.

Related News:

White House Confirms Cyberattack on U.S. Dept of Treasury and Commerce

However, to stop further spread of the nefarious Sunburst malware and to provide interim relief to SolarWinds’ clients, a group of tech firms — Microsoft, FireEye, and GoDaddy ­ — collectively devised a “Killswitch” to take control of one of the domains that attackers used for transmitting the malicious code into victims’ systems.

Sunburst Malware Killswitch

FireEye, in its report, stated that the hacked networks were seen communicating with a malicious domain name, avsvmcloud[.]com, which is one of the many domains that attackers had set up to control and communicate with the affected systems. Thus, gaining control over this domain would at least provide relief to SolarWinds by preventing further spread. For this, researchers from Microsoft and FireEye shook hands, and with the help of domain registrar company, GoDaddy, devised a “killswitch” to take over the malicious domain.

The story was first reported by investigative journalist Brian Krebs, who  stated, “There were signs over the past few days that control over the domain had been transferred to Microsoft.”  FireEye, in its statement, accepted applying a killswitch to the domain and has additionally reconfigured it so that the Sunburst malware does not operate under certain conditions.

Shedding more light on the Killswitch application, a FireEye spokesperson said,

Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.

This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.

This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST.

Since the trio of the tech companies now has control over the malicious domain, it could very well mean that more names of SolarWinds’ affected clients will be revealed.

Related News:

U.S. Government Takes the Wind Out of SolarWinds’ Sails…for the Time Being!