“Sunburst” Main Communications Domain Turned Into Kill-Switch

By Bill Toulas / December 17, 2020

Microsoft acquired full control of the “avsvmcloud[.]com” domain, which SolarWinds hackers used for their backdoor communications in the recently disclosed cyber-espionage campaign that targeted critical American entities. The domain was seized following a collaborative operation by Microsoft, FireEye, and GoDaddy.

For those of you who haven’t been following infosec news recently, FireEye was compromised by the same actors in the same way. That is a supply chain attack called “Sunburst” because the hack used SolarWinds software.

Now that the communications domain is turned into a kill-switch, the distribution of the backdoor has stopped, and the infections have been deactivated. The relevant statement from FireEye mentions that depending on the IP address returned when the malware resolves avsvmcloud[.]com, and under certain conditions, the malware would terminate itself and prevent further execution.

It is important to clarify, though, that this wasn’t the only domain used by the actors, so not every deployment has been dealt with. Also, if the hackers have established other backdoors on the compromised network, those will remain unaffected by this action. And finally, the presence of hackers on these networks is not threatened by the kill-switch domain. All that said, this move is just the first defense against Sunburst, and there’s still a long way to go before the attack can be considered is contained.

SolarWinds has estimated that the malicious update may have been pushed to about 18,000 customers. This may be a relatively small number considering the userbase of the Orion tool, but it’s still a big problem when considering the high-profile entities that could have been compromised. The kill-switch could help Microsoft and FireEye determine which companies have been infected, so we may soon have a more concrete number.

Sunburst's obfuscated communications were decoded by Chinese cybersecurity firm “RedDrip,” who confirmed that there are hundreds of active deployments, including universities, high-tech firms, and government departments. It’s clear that this is a massive infection that is complex to even uproot, let alone fully analyze and evaluate. We’re still many months away from that point, but the domain seizure was a solid first step in the process.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: