During the weekend, cybersecurity researchers published a list of nearly 280 organizations affected by the SolarWinds attack, and specifically, Sunburst (aka Solorigate) malware. The list involves local governments, universities, hospitals, banks, telecom providers, and big tech companies, such as Intel, Cisco, Belikin, Nvidia, Rakuten, SAP, and many others.
According to security researchers, Sunburst malware is a trojanized version of the SolarWinds Orion app released between March and June, this year. After the app was updated, the internal networks of many companies and government organizations were injected with Sunburst malware.
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA), together with Microsoft, McAfee, FireEye, Kaspersky, and Symantec, released a report that illustrated the fact that once on the system, Sunburst malware would collect the victim network's data and redirect it to a remote command and control server (C&C) over a period of about 12 to 14 days.
It is believed that the attackers are a state-sponsored group from Russia who analyzes the collected data and keeps the information that could be used in their favor.
A week ago, SolarWinds took the blame for the security breach and stated that nearly 18,000 of its 300,000 customers were infected with Sunburst malware after downloading the Orion app.
Unfortunately, SolarWinds couldn’t name all the affected companies, however, they continue to analyze the infected networks.
According to the malware researchers, once Sunburst collects the data from an infected network, it will redirect it to a unique C&C server UR, which is a subdomain for avsvmcloud[.]com.
To identify all the companies impacted by Sunburst malware, independent researchers and security companies have been monitoring the web traffic and passive DNS data to collect information on the avsvmcloud[.]com domain and crack their subdomains.
At this point, Dewan Chowdhury, TrueSec, Prevasio, and QiAnXin have released lists of organizations affected by Sunburst and tools for decoding the avsvmcloud[.]com subdomains.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.