The kill switch, developed by FireEye in collaboration with Microsoft and GoDaddy, will defang new and previous Sunburst infections by disabling any deployments that are still beaconing to the C2.
It beacons out to a command-and-control (C2) domain called avsvmcloudcom.
ORION SOLARWINDS WIKIPEDIA SOFTWARE
The backdoor was injected into .dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers. Microsoft calls the backdoor “Solorigate.” “Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” a Microsoft security blog explained. Microsoft for instance on Wednesday began blocking the versions of SolarWinds updates containing the malicious binary, known as the “Sunburst” backdoor, and, FireEye has identified a kill switch for the malware. That story is unfolding as defenders take action. “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform however, these are still being investigated,” it said in an updated bulletin on Thursday. Cybersecurity and Infrastructure Security Agency (CISA) has warned that SolarWinds may not be alone in its use in the campaign.
ORION SOLARWINDS WIKIPEDIA PASSWORD
Researchers said that includes its use of a default password (“SolarWinds123”) that gave attackers an open door into its software-updating mechanism and, SolarWinds’ deep visibility into customer networks. A perfect storm may have come together to make SolarWinds such a successful attack vector for the global supply-chain cyberattack discovered this week.
0 kommentar(er)
