FireEye said it’s identified a killswitch that prevents the malware distributed through malicious updates to SolarWinds’ Orion network monitoring tool from continuing to operate.
The breakthrough comes just a day after KrebsOnSecurity reported that Microsoft had taken control over a key domain name that was used by the SolarWinds hackers to communicate with systems compromised by the backdoor Orion product updates. FireEye named the malware distributed through trojanized SolarWinds Orion updates SUNBURST.
“Under certain conditions, the malware would terminate itself and prevent further execution,” a FireEye spokesperson said in a statement. “This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com.”
FireEye said its ability to prevent SUNBURST from continuing to operate depends on the IP address returned when the malware resolves avsvmcloud[.]com. The platform security vendor cautioned that, in the intrusions its seen, the state-sponsored hackers moved quickly to establish additional ways of accessing the victim networks beyond the SUNBURST backdoor.
The killswitch identified by FireEye won’t remove the hackers – who The Washington Post said are with the Russian intelligence service – from victim networks where they’ve established other backdoors, according to the company. But it will make it more difficult to for the hackers to leverage versions of SUNBURST that were previously distributed to victims.
FireEye said it worked with Microsoft and GoDaddy to deactivate SUNBURST infections. GoDaddy is the current domain registrar for the malware control servers used by the SolarWinds hackers, according to KrebsOnSecurity. GoDaddy told CRN USA in a statement Tuesday that it had worked closely with FireEye, Microsoft and others to help keep the internet safe and secure.
Microsoft has a long history of seizing control of domains involved with malware, particularly when those sites are being used to attack Windows clients, according to KrebsOnSecurity. Given their visibility into and control over the malicious domain, Microsoft, FireEye, GoDaddy and others likely now have a decent idea which companies may still be struggling with SUNBURST infections, KrebsOnSecurity said.
Trump administration officials acknowledged Monday that federal agencies including the State Department, the Department of Homeland Security, and parts of the Pentagon had been compromised, according to The New York Times. Reuters reported Sunday that the Treasury Department and The Commerce Department’s National Telecommunications and Information Administration were breached.
The victims have included government, consulting, technology and telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote in a blog posted Sunday. The researchers said they anticipate there are additional victims in other countries and verticals.
The hackers behind the SolarWinds attack went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection, FireEye CEO Kevin Mandia wrote in a blog post Sunday. The adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools, according to Mandia.
The malware inserted into SolarWinds Orion masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.
Hostnames were set by the hackers on their command and control infrastructure to match a legitimate hostname found within the victim’s environment, allowing the adversary to blend into the environment, avoid suspicion, and evade detection, FireEye said. The attacker’s choice of IP addresses was also optimized to evade detection, using only IP addresses originating from the same country as the victim.
Once the attacker gained access to the network with compromised credentials, they moved laterally using credentials that were always different from those used for remote access, the threat researchers said. And once legitimate remote access was achieved, FireEye found that the hackers routinely removed their tools, including removing backdoors.