Quote:A perfect storm may have come together to make SolarWinds such a successful attack vector for the global supply-chain cyberattack discovered this week. Researchers said that includes its use of a default password (“SolarWinds123”) that gave attackers an open door into its software-updating mechanism; and, SolarWinds’ deep visibility into customer networks.
That story is unfolding as defenders take action. Microsoft for instance began blocking the versions of SolarWinds updates containing the malicious binary, known as the “Sunburst” backdoor, starting Wednesday; and, FireEye has identified a kill switch for the malware.
“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” a Microsoft security blog explained. Microsoft calls the backdoor “Solorigate.”
The backdoor was injected into SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers. It beacons out to a command-and-control (C2) domain called avsvmcloud[.]com.
The kill switch, developed by FireEye in collaboration with Microsoft and GoDaddy, will defang new and previous Sunburst infections by disabling any deployments that are still beaconing to the C2.
“We identified a killswitch that would prevent Sunburst from continuing to operate,” a FireEye spokesperson told Threatpost. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”
Read more: https://threatpost.com/solarwinds-defaul...es/162327/
![[-]](https://www.geeks.fyi/images/collapse.png)
