www.zdnet.com
Open in
urlscan Pro
2a04:4e42:4c::666
Public Scan
URL:
https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/
Submission: On April 30 via api from CA — Scanned from CA
Submission: On April 30 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
<form class="c-smartSearch_form"><input aria-label="Search" placeholder="What are you looking for?" type="search" autocomplete="off" aria-autocomplete="list" aria-activedescendant="" aria-controls="c-searchSmartSearchResults" name="query" value="">
<button type="submit"><span class="search-go">Go</span> <svg>
<use xlink:href="#arrow-thin" aria-hidden="false"></use>
</svg></button></form>Text Content
/> X Trending * What is ChatGPT and why does it matter? Here's what you need to know * Apple sets June date for its biggest conference of 2023, with headset launch expected * What is Lemon8 and why is everyone talking about it on TikTok? * The best AI art generators: DALL-E 2 and other fun alternatives to try * ChatGPT's intelligence is zero, but it's a revolution in usefulness, says AI expert * * ZDNET Recommends * Testing RFID blocking cards: Do they work? Do you need one? * This almost-great Raspberry Pi alternative is missing one key feature * This $75 dock turns your Mac Mini into a Mac Studio (sort of) * Samsung's Galaxy S23 Plus is the Goldilocks of Smartphones * * Mobile World Congress 2023 * Best massage chairs * Best iRobot vacuums * Best headphones for sleeping * Best smart treadmills Tech * Gaming * Headphones * Laptops * Mobile Accessories * Networking * PCs * * Printers * Smartphones * Smart Watches * Speakers * Streaming Devices * Streaming Services * * Tablets * TVs * Wearables * * Kitchen & Household * Office Furniture * Office Hardware & Appliances * Smart Home * Smart Lighting * Yard & Outdoors Innovation * Artificial Intelligence * AR + VR * Cloud * Digital Transformation * Energy * * Robotics * Sustainability * Transportation * Work Life * * Accelerate your tech game Paid Content * How the New Space Race Will Drive Innovation * How the metaverse will change the future of work and society * * Managing the Multicloud * The Future of the Internet * The New Rules of Work * The Tech Trends to Watch in 2023 Business * See all Business * Amazon * Apple * Developer * E-Commerce * * Edge Computing * Enterprise Software * Executive * Google * Microsoft * * Professional Development * Social Media * SMB * Windows * * Digital transformation: Trends and insights for success * Software development: Emerging trends and changing roles Security * See all Security * Cyber Threats * Password Manager * Ransomware * VPN * * Cybersecurity: Let's get tactical * Securing the Cloud Advice * Deals * How-to * Product Comparisons * Product Spotlights * Reviews Buying Guides * See all Buying Guides * Best all-in-one computers * Best budget TVs * Best gaming CPUs * Best gaming laptops * Best gaming PCs * * Best headphones * Best iPads * Best iPhones * Best laptops * Best large tablets * Best OLED TVs * * Best robot vacuum mops * Best rugged tablets * Best Samsung phones * Best smart rings * Best smartphones * Best smartwatches * * Best speakers * Best tablets * Best travel VPNs * Best TVs * Best VPNs tomorrow belongs to those who embrace it today * Asia * Australia * Europe * India * United Kingdom * United States * ZDNET France * ZDNET Germany * ZDNET Korea * ZDNET Japan Go Most Popular * See all Topics * Finance * Education * Health * Special Features * ZDNET In Depth * ZDNET Recommends * Newsletters * Videos * Editorial Guidelines * Trending What is ChatGPT and why does it matter? Here's what you need to know Apple sets June date for its biggest conference of 2023, with headset launch expected What is Lemon8 and why is everyone talking about it on TikTok? The best AI art generators: DALL-E 2 and other fun alternatives to try ChatGPT's intelligence is zero, but it's a revolution in usefulness, says AI expert ZDNET Recommends Testing RFID blocking cards: Do they work? Do you need one? This almost-great Raspberry Pi alternative is missing one key feature This $75 dock turns your Mac Mini into a Mac Studio (sort of) Samsung's Galaxy S23 Plus is the Goldilocks of Smartphones Mobile World Congress 2023 Best massage chairs Best iRobot vacuums Best headphones for sleeping Best smart treadmills * Tech Gaming Headphones Laptops Mobile Accessories Networking PCs Printers Smartphones Smart Watches Speakers Streaming Devices Streaming Services Tablets TVs Wearables Kitchen & Household Office Furniture Office Hardware & Appliances Smart Home Smart Lighting Yard & Outdoors * Innovation Artificial Intelligence AR + VR Cloud Digital Transformation Energy Robotics Sustainability Transportation Work Life Accelerate your tech game Paid Content How the New Space Race Will Drive Innovation How the metaverse will change the future of work and society Managing the Multicloud The Future of the Internet The New Rules of Work The Tech Trends to Watch in 2023 * Business See all Business Amazon Apple Developer E-Commerce Edge Computing Enterprise Software Executive Google Microsoft Professional Development Social Media SMB Windows Digital transformation: Trends and insights for success Software development: Emerging trends and changing roles * Security See all Security Cyber Threats Password Manager Ransomware VPN Cybersecurity: Let's get tactical Securing the Cloud * Advice Deals How-to Product Comparisons Product Spotlights Reviews * Buying Guides See all Buying Guides Best all-in-one computers Best budget TVs Best gaming CPUs Best gaming laptops Best gaming PCs Best headphones Best iPads Best iPhones Best laptops Best large tablets Best OLED TVs Best robot vacuum mops Best rugged tablets Best Samsung phones Best smart rings Best smartphones Best smartwatches Best speakers Best tablets Best travel VPNs Best TVs Best VPNs * More See all Topics Finance Education Health Special Features ZDNET In Depth ZDNET Recommends Newsletters Videos Editorial Guidelines Tech Home Tech Security MICROSOFT AND INDUSTRY PARTNERS SEIZE KEY DOMAIN USED IN SOLARWINDS HACK UPDATED: The seized domain has been turned into a killswitch to prevent the SolarWinds hackers to escalate infections and make new victims. Written by Catalin Cimpanu, Contributor on Dec. 15, 2020 * * * * * MUST READ I used ChatGPT to write the same routine in 10 programming languages Read now Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter. ZDNET RECOMMENDS HOW THE TOP VPNS COMPARE: PLUS, SHOULD YOU TRY A FREE VPN? We tested the best VPN services -- focusing on the number of servers, ability to unlock streaming services, and more -- to determine a No. 1 overall. Plus, we tell you whether free VPNs are worth trying. Read now The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app. SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com. According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company's network. TAKEDOWN TO PREVENT LAST-DITCH HACKS Earlier today, a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession. Sources familiar with today's actions described the takedown as "protective work" done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers. Even if the SolarWinds hack became public on Sunday, the SUNBURST operators still had the ability to deploy additional malware payloads on the networks of companies that failed to update their Orion apps and still have the SUNBURST malware installed on their networks. In SEC documents filed on Monday, SolarWinds estimated that at least 18,000 customers installed the trojanized Orion app update and most likely have the first-stage SUNBURST malware on their internal networks. However, the hackers do not appear to have taken advatange of all these systems and only carried out a handful of carefully-orchestrated intrusions into the networks of high-profile targets. SOLARWINDS UPDATES * SolarWinds: The more we learn, the worse it looks * CISA: US govt agencies must update right away * A second hacking group targets SolarWinds systems * Hackers accessed Microsoft source code * Microsoft quarantines trojanized apps * Microsoft identifies 40+ victims, most in US * Microsoft and industry partners seize key domain used in hack * SEC filing: 18,000 customers impacted * Breach is not a marketing opportunity This was confirmed in a report on Monday from US security firm Symantec, which said that it discovered the SUNBURST malware on the internal networks of 100 of its customers, but it did not see any evidence of second-stage payloads or network escalation activity. Similarly, Reuters also reported on Monday, confirmed with independent sources by ZDNet, that many companies that installed the trojanized Orion app update did not discover evidence of additional activity and escalation on internal networks, confirming that hackers only went after high-profile targets. Since Sunday, when the SolarWinds hack came to light, the number of confirmed victims has grown to include: * US cybersecurity firm FireEye * The US Treasury Department * The US Department of Commerce's National Telecommunications and Information Administration (NTIA) * The Department of Health's National Institutes of Health (NIH) * The Cybersecurity and Infrastructure Agency (CISA) * The Department of Homeland Security (DHS) * The US Department of State SINKHOLING EFFORTS UNDERWAY TO DISCOVER ALL VICTIMS Currently, the avsvmcloud[.]com domain redirects to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons from all the systems where the trojanized SolarWinds app has been installed. This technique, known as sinkholing, is allowing Microsoft and its partners to build a list of all infected victims, which the organizations plan to use to notify all affected companies and government agencies. Image via Teri Radichel "This is not the first time a domain associated with malware has been seized by international law enforcement and even by a provider," ExtraHop CTO Jesse Rothstein told ZDNet in an email, referring to Microsoft's previous takedown and sinkholing efforts against the Necurs and TrickBot botnets. Current takedown and sinkholing efforts also include representatives for the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, looking to find other US government agencies that might have been compromised. Due to SolarWinds' extensive US government clientele, government officials are treating the SolarWinds compromise as a national security emergency. A day before the SolarWinds breach became public, the White House held a rare meeting of the US National Security Council to discuss the hack and its repercussions. Indicators of compromise and instructions on how to discover and deal with a SUNBURST malware infection are available from Microsoft, FireEye, and CISA. -------------------------------------------------------------------------------- UPDATED on December 16: In an emailed statement FireEye formally confirmed a coordinated takedown of the SUNBURST C&C domain, together with Microsoft and GoDaddy. The explained that what ZDNet sources described as "protective work" was a killswitch mechanism found in the SUNBURST domain that could stop attackers from escalating infections. Full statement below: "As part of our commitment to our customers and community, FireEye continues to take action to protect organizations from the SolarWinds supply chain attack. We disclosed the supply chain attack shortly after we discovered it, and we provided information on related malicious activity and coordinated with partners to disable some malware related to this activity. "SUNBURST is the malware that was distributed through SolarWinds software. As part of FireEye's analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate. "Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. "This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST." SOLARWINDS UPDATES SolarWinds: The more we learn, the worse it looks CISA: US govt agencies must update right away A second hacking group targets SolarWinds systems Hackers accessed Microsoft source code Microsoft quarantines trojanized apps Microsoft identifies 40+ victims, most in US Microsoft and industry partners seize key domain used in hack SEC filing: 18,000 customers impacted Breach is not a marketing opportunity * SolarWinds: The more we learn, the worse it looks * CISA: US govt agencies must update right away * A second hacking group targets SolarWinds systems * Hackers accessed Microsoft source code * Microsoft quarantines trojanized apps * Microsoft identifies 40+ victims, most in US * Microsoft and industry partners seize key domain used in hack * SEC filing: 18,000 customers impacted * Breach is not a marketing opportunity Editorial standards Show Comments Log In to Comment Community Guidelines x player version3.2.1stream typeHLSplayback state1duration393.693288current time6.24buffer length393.69total dropped frames187average dropped (fps)0.47playback framerate (fps)0.00switching modeautotransition statecompletestart index bitrate (B/s)-0.00kcurrent index bitrate (B/s)508.41kcurrent bandwidth (B/s)0.00k Replay video Large play-pause toggle Play pause 00:06 06:34 Live Closed captions Share Fullscreen Learn More Click to unmute RELATED MICROSOFT'S ACTIVISION BLIZZARD ACQUISITION GETS BLOCKED IN THE U.K. MICROSOFT LAUNCHES BUG BOUNTY PROGRAM FOR THE NEW BING THE BEST VPNS FOR IPHONE AND IPAD (AND WHY YOU SHOULD USE ONE) ZDNET we equip you to harness the power of disruptive innovation, at work and at home. * Topics * Galleries * Videos * Do Not Sell or Share My Personal Information * about ZDNET * Meet The Team * Sitemap * Reprint Policy * Join | Log In * Newsletters * Site Assistance * Licensing * * * * * * © 2023 ZDNET, A Red Ventures company. All rights reserved. Privacy Policy | Cookie Settings | Advertise | Terms of Use Cookie Settings