FireEye and partners GoDaddy and Microsoft have deployed a so-called kill-switch against the SolarWinds Sunburst/Solarigate malware used by a state-backed actor to compromise multiple US government departments and FireEye, mitigating some of the potential impact of the wide-ranging attack.
The cyber attack saw the compromise of SolarWinds’ network and the insertion of code into its Orion network management platform, which was then distributed to about 18,000 customer organisations and used as a means for the attackers to compromise their victims.
In a statement initially circulated to KrebsonSecurity, which was first to report the release, FireEye said it had found that depending on the IP address returned when the malware calls out to its command and control (C2) infrastructure using the avsvvmcloud[.]com domain, it terminates itself and prevents further execution.
“This kill-switch will affect new and previous Sunburst infections by disabling Sunburst deployments that are still beaconing to avsvmcloud[.]com,” a FireEye spokesperson said in the statement.
As per BleepingComputer’s reporting, by working together to seize this domain and creating a wildcard domain name system (DNS) resolution to force it to resolve to an IP address in its blocklist – in this case 20.140.0.1. – FireEye, GoDaddy and Microsoft have ensured Sunburst will cease to function.
The IP address in question is controlled by Microsoft, which is probably why the creators of Sunburst added it to their blocklist in order to better obfuscate their activity.
However, FireEye went on to point out that this was not necessarily a cure-all for Sunburst victims, because in the intrusions it has seen to date, the attackers quickly established further backdoors and persistence mechanisms.
“This kill-switch will not remove the actor from victim networks where they have established other backdoors,” said the firm’s spokesperson. “However, it will make it more difficult to for the actor to leverage the previously distributed versions of Sunburst.”
Meanwhile, questions continue to mount for SolarWinds as more intelligence trickles out around the attack. On Wednesday 16 December, researchers at Intel471 said they had seen Russian-language actors trying to sell access to SolarWinds up to three years ago, and claimed the seller had “allegedly attempted to work his way deeper into the SolarWinds network and eventually to the source code of its products”. This would tally with the method of the Sunburst attack.
The researchers said other actors have since claimed to have access to SolarWinds’ network, including one with links to the REvil/Sodinokibi ransomware gang, although this is not necessarily any indication of a link.
Eran Farajun, executive vice-president at data protection specialist Asigra, said he had been warning about the potential for attacks on remote monitoring and management (RMM) software – such as SolarWinds’ products – for some time.
“RMM was, and remains, a soft underbelly for attacks and backup software is integrated into the SolarWinds RMM platform Orion,” he said. “In the same ways that RMM was compromised and used as a proxy to traverse into the source network and machines and exfiltrate data, a threat actor can do it for profit with ransomware.
“The same happens with backup. Once you are in through the RMM, it is a hop, skip and a jump over into the integrated backup app. The best defensive strategy is to keep these important apps separate and protect them as one protects other vital production systems.”
Other reports in the US media have called into question the actions of people associated with SolarWinds in the run-up to the incident, after top investors were found to have sold millions of dollars’ worth of company stock shortly before the attack was disclosed. The company’s shares have lost over one-fifth of their value since then.
According to the Washington Post, the two investors linked to the suspicious trades are Silver Lake and Thoma Bravo, both high-profile private equity vehicles with massive investments in the tech industry. Between them, they hold 70% of SolarWinds and have six seats on its board, which would give them access to key insider information. Both investors have said they were not aware of the cyber attack, and SolarWinds has made no comment.
Given it is still unknown precisely when SolarWinds became aware of the attack, the timing of the trading activity will almost certainly spark a regulatory investigation by the Securities and Exchange Commission.