December 17, 2020

Open Source Intelligence

OSI World News

Microsoft Confiscates Domain Used In SolarWinds Breach

Microsoft and a consortium of other tech companies intervened earlier today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter.

The domain in question is avsvmcloud[.]com, which served as command and control server for malware delivered to around 18,000 SolarWinds customers via a slip-streamed update which included a Trojan for for the company’s Orion app.

SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com.

The massive breach is allegedly the work of state sponsored actors, SolarWinds is used worldwide for IT related software and services which include remote monitoring and enterprise endpoint management.

Communication sent out by SolarWinds CEO John Pagliuca

According to analysis from security firm FireEye, the Command and Control domain would reply with a DNS query that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain additional commands to further weaponize the payloads delivered to its victims.

It appears the domain used in the breach was setup to be operational in late February of this year according to DNS and registrar records. The name for the domain was cleverly crafted to resemble a cloud service, even those trained to look at network traffic could easily mistake it for a valid client/server traffic stream.

Earlier today, avsvmcloud[.]com was seized and transferred into Microsoft’s possession. Sources familiar with today’s actions described the take down as “protective work” done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infrastructure already infected.