This entry was posted on Wednesday 16th of December 2020 01:37 PM Securities and Exchange Commission (SEC) saying the sales were likely to prompt an insider trading investigation. The Post cited former enforcement officials at the U.S. SolarWinds’s stock price has fallen more than 20 percent in the past few days. The Washington Post reported Tuesday that top investors in SolarWinds sold millions of dollars in stock in the days before the intrusion was revealed. Meanwhile, the potential legal fallout for SolarWinds in the wake of this breach continues to worsen. Chinese cybersecurity firm RedDrip Team published their findings on Github, saying its decoder tool had identified nearly a hundred suspected victims of the SolarWinds/Orion breach, including universities, governments and high tech companies. The killswitch revelations came as security researchers said they’d made progress in decoding SUNBURST’s obfuscated communications methods. It is likely that given their visibility into and control over the malicious domain, Microsoft, FireEye, GoDaddy and others now have a decent idea which companies may still be struggling with SUNBURST infections. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST.” This killswitch will not remove the actor from victim networks where they have established other backdoors. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. “This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloudcom. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.” “Depending on the IP address returned when the malware resolves avsvmcloudcom, under certain conditions, the malware would terminate itself and prevent further execution. “As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate.” “SUNBURST is the malware that was distributed through SolarWinds software,” FireEye said in a statement shared with KrebsOnSecurity. What’s more, the company said the domain was reconfigured to act as a “killswitch” that would prevent the malware from continuing to operate in some circumstances.
SOLARWINDS HACK TECHNICAL DETAILS UPDATE
Today, FireEye responded that the domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers. Asked about the changeover, Microsoft referred questions to FireEye and to GoDaddy, the current domain name registrar for the malicious site. FireEye said hacked networks were seen communicating with a malicious domain name - avsvmcloudcom - one of several domains the attackers had set up to control affected systems.Īs first reported here on Tuesday, there were signs over the past few days that control over the domain had been transferred to Microsoft. 13, cyber incident response firm FireEye published a detailed writeup on the malware infrastructure used in the SolarWinds compromise, presenting evidence that the Orion software was first compromised back in March 2020. federal agencies and Fortune 500 firms use(d) Orion to monitor the health of their IT networks.
SOLARWINDS HACK TECHNICAL DETAILS CODE
A key malicious domain name used to control potentially thousands of computer systems compromised via the months-long breach at network monitoring software vendor SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself, KrebsOnSecurity has learned.Īustin, Texas-based SolarWinds disclosed this week that a compromise of its software update servers earlier this year may have resulted in malicious code being pushed to nearly 18,000 customers of its Orion platform.
0 kommentar(er)
