430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Microsoft partnered with security firms to sinkhole the C2 used in SolarWinds hack

Microsoft and its partners have seized the primary domain used in the SolarWinds attack to identify the victims through sinkholing. Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in an attempt to identify all victims and prevent other systems from being served malicious software. The domain […]

SolarWinds NNSA

Microsoft and its partners have seized the primary domain used in the SolarWinds attack to identify the victims through sinkholing.

Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in an attempt to identify all victims and prevent other systems from being served malicious software.

The domain avsvmcloud[.]com was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.

The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.

The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.

In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020. The vendor recommends users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.

The C&C domain communicates to the bot via DNS responses that contained a CNAME field with information on the domain that will provide further commands and payload to the SUNBURST backdoor.

Now security firms sinkholed the avsvmcloud[.]com domain that is now under the control of Microsoft.

Experts from Symantec confirmed that the presence of the SUNBURST backdoor on the internal networks of 100 of its customers.

“Symantec has identified more than 2,000 computers at over 100 customers that received Trojanized software updates but has not identified any further malicious impact on those machines.” reads the analysis published by Symantec.

After the seizure of avsvmcloud[.]com, the domain redirects to an IP address owned by Microsoft. All the infected machine that will attempt to contact the C2 will be tracked by Microsoft and its partners that will notify the impacted organizations.

The FBI and CISA are still investigating the supply chain attack along with security firms in the attempt to determine the extent of the attack.

US DHS CISAMicrosoft, and FireEye, have shared Indicators of Compromise for the SolarWinds attack.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Supply chain attack)

[adrotate banner=”5″]

[adrotate banner=”13″]