Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:55 PM
Connect Directly

FireEye Identifies Killswitch for SolarWinds Malware as Victims Scramble to Respond

White House National Security Council establishes unified group to coordinate response across federal agencies to the threat.

FireEye, which last Sunday disclosed a compromise at network management software vendor SolarWinds that allowed an unknown attacker to distribute malware to potentially thousands of organizations, has identified a killswitch that it says would prevent the malware from operating on infected networks.

But in networks where the attackers might have already deployed additional persistence mechanisms, the killswitch will not remove the threat from victim networks, according to the security vendor.

Related Content:

Concerns Run High as More Details of SolarWinds Hack Emerge

Building an Effective Cybersecurity Incident Response Team

FireEye on Sunday said that an investigation it was conducting into a breach of its own network last week uncovered a threat actor widely distributing a backdoor dubbed SUNBURST by hiding it in legitimate updates of SolarWinds' Orion network management technology.

SUNBURST (SolarWinds.Orion.Core.BusinessLayer dot dll) is a sort of first-stage Trojan that the attackers were using to drop additional payloads for escalating privileges, lateral movement, and data theft on infected networks, FireEye explained. The stealth, planning, and precision with which the attack was executed had all the hallmarks of a nation state-backed actor, the vendor said. FireEye is currently tracking the threat actor as UNC2452, but says it has not been able to identify whether and on whose behalf it might be operating. 

Security experts as well as some members of Congress who received classified briefings on the attack, point to Russia as the likely perpetrator.

FireEye has released IoCs and other data to help organizations detect and mitigate the threat. SolarWinds has released updates—including a hotfix today—that it says addresses the issue in all impacted versions of its technology. Since the breach was disclosed, Microsoft and numerous other vendors of malware detection tools have also added signatures for the malicious DLL that FireEye observed was being used to distribute SUNBURST.

An Effective Killswitch Under Some Circumstances

A FireEye spokesperson Wednesday said the company's analysis of SUNBURST showed the malware could be prevented from operating under the right conditions. "Depending on the IP address returned when the malware resolves avsvmcloud dot com under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections," the spokesperson said.

According to FireEye, the killswitch is effective against new and previous SUNBURST deployments that might be still beaconing out to avsvmcloud dot com, the location of the malware's command and control server. "However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."

In these situations, the killswitch would not boot the threat actor out of an infected network. But it could make life harder for them to use already distributed versions of SUNBURST, FireEye said.

News of the killswitch comes amid high concerns over the potential scope and impact of the SolarWinds intrusion, which FireEye discovered when investigating a breach of its own network last week.

Obama-era Presidential Directive

On Tuesday, the White House National Security Council (NSC) announced that a Unified Coordination Group (UCG) had been established to ensure a coordinated federal agency response to the threat—as prescribed by PPD-41 an Obama-era directive. The PPD-41 process "facilitates continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate, and respond to this incident," the NSC said. Earlier on Monday, the DHS's Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive that ordered all federal civilian agencies to immediately power off and disconnect instances of SolarWinds Orion, the network management product that the attacker used to distribute the malware.

A lot of the concern has to do with the potential scope and impact of the breach. SolarWinds supplies network management technology to most federal agencies, all five branches of the military, and almost all Fortune 500 companies, in addition to thousands of managed services provides.

The company's Orion network management tool provides SolarWinds with access deep into some of the biggest, most sensitive networks in the world. Many believe that by poisoning legitimate Orion updates with SUNBURST malware, the attackers have managed to gain what some refer to as "God-mode access" on the compromised networks. Among those believed impacted in the breach are federal agencies like the US Treasury Department, Homeland Security, Justice Department, and State Department.

Researchers from Huntress Labs, which earlier this year validated a zero-day exploit involving another SolarWinds technology called N-Central on Wednesday, said they had compiled a list of more than 4,000 domains and subdomains tied to the poisoned DLL. Huntress Labs' analysis of available data showed the backdoored DLL to be present across 500,000 systems, but only within the Orion product.

According to the vendor, the malicious DLL can be present in three specific SolarWinds programs and 12 distinct locations on a computer filesystem. However, the presence of the DLL alone does not indicate a compromise, the vendor stressed.

Multiple SolarWind Vulnerabilities

SolarWinds has not yet disclosed how exactly the attacker managed to gain enough access on its systems to be able to insert malware into the company's legitimate software updates. The company has noted that preliminary investigations show a compromise of SolarWinds' build system.

Data available on the MITRE CVE vulnerability database shows that researchers have reported 23 vulnerabilities on SolarWinds' technologies this year alone. Many of them—including six that were disclosed in August—have been in N-Central, a SolarWinds' remote monitoring technology.

Daniel Trauner, director of security at Axonius, says incidents like this highlight the importance of good vendor security risk-assessment practices. Organizations should look at public examples of vendor security risk assessment questionnaires such as Google’s VSAQ to get an idea of what to focus on, he says.

At the same time, there are limits to how much vetting one can do, he says.

"Even though larger and more mature enterprises usually have a formal change-control process designed to minimize the risk inherent in modifying existing access or systems, there are usually practical limits for this model," he says. Most of the focus is going to rightfully be on a subset of critical systems and specific elements of the change, such as highlighting any privileged access changes or testing the stability of the system after a patch is applied.

"Unfortunately, there are likely no reasonable routine checks that would have been part of a change management process that would have caught this backdoored SolarWinds update," he says.

The SolarWinds incident has punctuated the dangerous exposure of US federal agencies to threats via the supply chain, says Jacob Olcott vice president of communications and government affairs at BitSight.

Government agencies rely on a vast third-party supply chain with limited visibility into the security posture of critical providers, he says. Current approaches do not adequately address the risk and a significant change in thinking and technological approach to supply chain security is needed.

"For the last five years, adversaries have been able to access valuable personal information, sensitive intellectual property, trade secrets, and other critical national security information by penetrating the government's supply chain," Olcott notes.

"It must integrate cybersecurity into all contracts, placing requirements on contractors to meet certain cybersecurity standards."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...