FireEye, Microsoft identify 'killswitch' to remove malware impacting SolarWinds Orion software
But hackers may still have other means to retain access to victim networks, security experts warn
Cybersecurity giant FireEye has teamed up with Microsoft and the domain registrar GoDaddy to create a 'killswitch' for the Sunburst (or Solarigate) backdoor that was used by a state-backed hacker group to breach the computer networks of the US Treasury and other federal agencies and FireEye itself.
According to FireEye, this killswitch would force the malware to terminate itself, thereby helping to turn the extensive cyber espionage campaign against itself.
Earlier this week, SolarWinds disclosed in a SEC filing that hackers with ties to an "outside nation state" were able to breach the company's network and insert malicious code into a Windows DLL file used by their Orion network management software.
The company said that updates to the software were issued between March and June of this year, and fewer than 18,000 customers are thought to have downloaded the compromised update.
Media reports had earlier disclosed that the SolarWinds backdoor was used to breach computer systems belonging to the Department of Homeland Security, Commerce and Treasury, among others.
The US government on Sunday confirmed reports that hackers backed by a foreign government breached the computer networks of the US Treasury Department and an agency within the Commerce Department.
It emerged that the group behind these cyber attacks had unrestricted access to internal email systems of federal agencies, which enabled hackers to monitor staff emails for several months.
FireEye stated on Sunday that an analysis of the Sunburst backdoor revealed that it communicates with a command and control (C2) server at a subdomain of avsvmcloud[.]com to receive commands for execution. The company said that if the C2 server resolved to an IP address in some specific ranges, the malware would terminate and never execute again.
"Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution," it said.
KrebsonSecurity reported on Monday that security experts have seized the domain avsvmcloud[.]com with the help of GoDaddy, and it now resolves to the IP address 20.140.0.1 that belongs to Microsoft. The malicious traffic coming to this domain is now being 'sinkholed' and analysed to identify further victims.
FireEye, however, warned that the hackers behind the campaign, believed to be Russian group Cozy Bear, are highly skilled and sophisticated and may still have other means to retain access to victim networks.
The development comes at the time when Washington Post reported on Tuesday that two SolarWinds investors had sold $280 million in stock six days before the security breach was revealed.
According to the Post, Silver Lake and Thoma Bravo sold $158 million and $128 million in shares, respectively, on 7th December.
The two firms together own a nearly 70 per cent of all SolarWinds' stock and also control six seats on the company's board of directors.
Earlier in November, SolarWinds' long-time CEO Kevin Thompson also resigned from the job and divested more than $15 million in shares in the company, according to the report.
SolarWinds' stock price has fallen more than 20 per cent since the disclosure of the hack.
The claims have now led to questions as to when SolarWinds became aware of the hack and whether the company insiders were aware of the breach when its biggest investors sold off their stocks.