FireEye, Microsoft find 'killswitch' to hamper SolarWinds-related malware

FireEye at the 2019 Black Hat conference in Las Vegas. (Greg Otto / CyberScoop)

Share

Written by

As the U.S. government works to contain a sprawling hacking campaign that relies on software in technology from SolarWinds, a federal contractor, technology firms are disabling some of the hackers’ key infrastructure.

Cybersecurity giant FireEye on Wednesday said that it had worked with Microsoft and the domain registrar GoDaddy to take over one of the domains that attackers had used to send malicious code to victim machines. The move is no panacea for stopping the suspected state-sponsored hacking campaign, though it could help stem the tide of victims, which reportedly includes the departments of Treasury and Homeland Security.

The seized domain, known as a “killswitch,” will “affect new and previous” infections of the malicious code coming from that particular domain, FireEye said in a statement that was first reported by independent journalist Brian Krebs. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”

The killswitch will make it harder for the attackers to use the malware, known as SUNBURST, that they have already deployed. FireEye warned, though, that hackers still have other means of retaining access to networks. “[I]n the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor.”

The FBI is investigating the compromise of SolarWinds’ software updates, which the Washington Post has linked with a Russian intelligence service. SolarWinds’ software is used throughout Fortune 500 companies, and in critical sectors such as electricity. The network monitoring vendor said in a Securities and Exchange Commission filing on Monday that the number of public and private customers with its vulnerable software installed was “fewer than 18,000,” without specifying the number.

Alex Stamos, Facebook’s former security chief, pointed out the hard work ahead for many security teams in corporate and government environments.

The killswitch action highlights the power that major technology companies have to throw up road blocks to well-resourced hackers, and follows Microsoft and other firms’ attempt to disrupt a powerful botnet in October. Perhaps the most famous use of a killswitch during a malicious cyber campaign came during the 2017 WannaCry ransomware outbreak, when security researcher Marcus Hutchins registered a web domain found in the ransomware’s code, helping stop the spread of the global computer virus.

-In this Story-

domains, espionage, FireEye, Microsoft, SolarWinds, supply chain security
TwitterFacebookLinkedInRedditGmail