- FireEye, days after identifying the supply chain attack on the SolarWinds Orion platform, said it has identified a killswitch that will prevent the SUNBURST malware from operating.
- FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. Depending on the IP address returned when the malware resolves avsvmcloud[.]com, the malware would terminate itself and prevent further execution under certain conditions, according to the company.
- "This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com," a FireEye spokesperson said. "However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."
The massive attack — which analysts and other officials say they suspect was backed by Russia — has disrupted thousands of SolarWinds corporate customers, and several major U.S. agencies, including the Department of Commerce, Department of Treasury and other agencies.
FireEye said the killswitch will not remove the actor from networks where they have established other backdoors, but it will make it tougher for the actor to leverage previously-distributed versions of SUNBURST.
SUNBURST malware installed at customer organizations issues requests to avsvmcloud[.]com to receive further instructions, said Duncan Greatwood, CEO of Xage Security. One possible instruction that SUNBURST would receive is to terminate itself.
GoDaddy is now the registrar for avsvmcloud[.]com, and accordingly could direct avsvmcloud[.]com to a friendly party such as Microsoft. Microsoft's avsvmcloud[.]com servers could then issue "terminate yourself" instructions to SUNBURST malware that is installed at customers' systems when they reach out to avsvmcloud[.]com.
"This should mean that any new instances of SUNBURST self-terminate before they do further damage," he said.
SolarWinds, which has a total of more than 300,000 customers worldwide, disclosed that it had notified about 33,000 customers of the vulnerability, which was inserted into the Orion platform between March and June, according to an 8-K filing with the SEC. About 18,000 customers were affected.