Earlier today [12/15/2020], a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession.
Currently, the avsvmcloud[.]com domain redirects to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons from all the systems where the trojanized SolarWinds app has been installed.
This technique, known as sinkholing, is allowing Microsoft and its partners to build a list of all infected victims, which the organizations plan to use to notify all affected companies and government agencies.
Hacker is unknown.
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
Dec. 14, 2020:
“Dark Halo Leverages SolarWinds Compromise to Breach Organizations”
Did Gina Haspel get shot when they seized the domain?
Dec. 13, 2020
“Austin-based SolarWinds at center of massive US government hack”
The OP is an excerpt.
Dec. 16, 2020
“SolarWinds Removes Customer List From Site as It Releases Second Hotfix”
https://www.securityweek.com/solarwinds-removes-customer-list-site-it-releases-second-hotfix
Dec. 17, 2020
“FireEye and partners release SolarWinds kill-switch”
https://www.computerweekly.com/news/252493790/FireEye-and-partners-release-SolarWinds-kill-switch
Fox guarding the hen house?
Dec. 18, 2020
“Microsoft, U.S. Energy Dept. Implicated In SolarWinds Hack”
https://www.oann.com/microsoft-u-s-energy-dept-implicated-in-solarwinds-hack/
The sophistication of this hack and the clever ways it used to mask its activities and avoid detection has never been seen before according to FireEye analysts. They were able to inject malware into a digitally signed DLL within the SolarWinds download without triggering any key mismatch alerts. They placed code in memory that used the actual admin credentials to traverse servers, extract and move files, and use the backdoor server HTTP parameters to control the malware code.
Anybody that can do this is an expert at exploiting Microsoft’s core. Could this be an insider hack that is supporting a foreign agency? Maybe this is why IT pros that have to build truly secure systems for the government stick with Linux at least for the trusted infrastructure.
They seized a domain? Wow, they’re really on top of this.
I would also point out that MS-Windows itself is a virus that is constant contact with its Borg masters.
Microsoft strives to be the sole issuer of malware while making holes for other malware.
But if I just own a computer, not a company or organization, that may not really help me. It might indirectly help by protecting my ISP.
Ping
If a domain is taken over can’t they determine who initiated/created/owned it?