Skip to main content
close search
site logo
Dive Brief

FireEye killswitch stops SolarWinds hack

Published Dec. 16, 2020
David Jones's headshot
Reporter
Getty

Dive Brief:

  • FireEye, days after identifying the supply chain attack on the SolarWinds Orion platform, said it has identified a killswitch that will prevent the SUNBURST malware from operating. 
  • FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. Depending on the IP address returned when the malware resolves avsvmcloud[.]com, the malware would terminate itself and prevent further execution under certain conditions, according to the company.
  • "This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com," a FireEye spokesperson said. "However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."

Dive Insight: 

The massive attack — which analysts and other officials say they suspect was backed by Russia — has disrupted thousands of SolarWinds corporate customers, and several major U.S. agencies, including the Department of Commerce, Department of Treasury and other agencies. 

FireEye said the killswitch will not remove the actor from networks where they have established other backdoors, but it will make it tougher for the actor to leverage previously-distributed versions of SUNBURST. 

SUNBURST malware installed at customer organizations issues requests to avsvmcloud[.]com to receive further instructions, said Duncan Greatwood, CEO of Xage Security. One possible instruction that SUNBURST would receive is to terminate itself. 

GoDaddy is now the registrar for avsvmcloud[.]com, and accordingly could direct avsvmcloud[.]com to a friendly party such as Microsoft. Microsoft's avsvmcloud[.]com servers could then issue "terminate yourself" instructions to SUNBURST malware that is installed at customers' systems when they reach out to avsvmcloud[.]com. 

"This should mean that any new instances of SUNBURST self-terminate before they do further damage," he said.

SolarWinds, which has a total of more than 300,000 customers worldwide, disclosed that it had notified about 33,000 customers of the vulnerability, which was inserted into the Orion platform between March and June, according to an 8-K filing with the SEC. About 18,000 customers were affected. 

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell