Posted on 12/19/2020 10:13:01 AM PST by linMcHlp
UPDATED: The seized domain has been turned into a killswitch to prevent the SolarWinds hackers to escalate infections and make new victims.
Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter.
The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app.
SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate).
Earlier today [12/15/2020], a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession.
Currently, the avsvmcloud[.]com domain redirects to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons from all the systems where the trojanized SolarWinds app has been installed.
This technique, known as sinkholing, is allowing Microsoft and its partners to build a list of all infected victims, which the organizations plan to use to notify all affected companies and government agencies.
Hacker is unknown.
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
Dec. 14, 2020:
“Dark Halo Leverages SolarWinds Compromise to Breach Organizations”
Did Gina Haspel get shot when they seized the domain?
I thought there was an international governing body that controlled domain names? How does a private company like Microsoft seize the name?
Dec. 13, 2020
“Austin-based SolarWinds at center of massive US government hack”
TRUMP: SolarWinds Breach ‘May Be China,’ MSM Won’t Admit Due To ‘Financial Reasons’; “There could also have been a hit on our ridiculous voting machines during the election”
National File ^ | 12/19/2020 | Andrew White
Posted on 12/19/2020, 10:11:49 AM by SeekAndFind
President Donald Trump suggested on Twitter that China ‘may be’ responsible for the recently announced SolarWinds cyber attack, adding that “Russia, Russia, Russia is the priority chant” when anything happens, because mainstream media outlets have “financial reasons” to not cover China’s potential involvement.
President Trump also said that the cyber attack could have impacted “our ridiculous voting machines” during the 2020 US election, adding that the election was a “corrupted embarrassment for the USA.”
This comes after several days of the mainstream media repeatedly blaming Russia or Russian actors for the devastating attack.
….discussing the possibility that it may be China (it may!). There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA. @DNI_Ratcliffe @SecPompeo
— Donald J. Trump (@realDonaldTrump) December 19, 2020
The OP is an excerpt.
Loretta Fuddy did as well.
Dec. 16, 2020
“SolarWinds Removes Customer List From Site as It Releases Second Hotfix”
https://www.securityweek.com/solarwinds-removes-customer-list-site-it-releases-second-hotfix
Dec. 17, 2020
“FireEye and partners release SolarWinds kill-switch”
https://www.computerweekly.com/news/252493790/FireEye-and-partners-release-SolarWinds-kill-switch
But it cannot do anything about the compromises and damage done, and continuing to be done, against existing victims. The malware has been running around in systems for months and has long since set up alternatives to the main C&C servers.
Fox guarding the hen house?
Dec. 18, 2020
“Microsoft, U.S. Energy Dept. Implicated In SolarWinds Hack”
https://www.oann.com/microsoft-u-s-energy-dept-implicated-in-solarwinds-hack/
The sophistication of this hack and the clever ways it used to mask its activities and avoid detection has never been seen before according to FireEye analysts. They were able to inject malware into a digitally signed DLL within the SolarWinds download without triggering any key mismatch alerts. They placed code in memory that used the actual admin credentials to traverse servers, extract and move files, and use the backdoor server HTTP parameters to control the malware code.
Anybody that can do this is an expert at exploiting Microsoft’s core. Could this be an insider hack that is supporting a foreign agency? Maybe this is why IT pros that have to build truly secure systems for the government stick with Linux at least for the trusted infrastructure.
They seized a domain? Wow, they’re really on top of this.
I thought it was ICANN.
The hack not only directly networked to servers over the Internet, the hack also networked - spawned - to other areas throughout an organization affected - thus creating multiples of compromised hosts that might have alternative / backdoor communications over the Internet.
Among the hack objectives, was to locate files and delete the files - by removing the paths to the files on Windows OS systems.
Yet, another hack objective, was to set up Wide Area Botnets.
A security feature of the (SolarWinds) Orion Platform, aboard a customer device, is claimed by SolarWinds (if I have that correct), to have indicated a problem that led to SolarWinds hitting the alarm.
What if people like Bill Gates came back from Neverland - helping motha earf - lecturing us on global warming - etc - and actually helped the world with some of the stuff he invented?
Seems like Bill Gates and friends could loan us their best people or form a work group and protect the United States from world class hackers.
Would that be too much to ask?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.