Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself.
This past weekend it was revealed that Russian state-sponsored hackers breached SolarWinds and added malicious code to a Windows DLL file used by their Orion IT monitoring platform.
This malicious DLL is a backdoor tracked as Solarigate (Microsoft) or Sunburst (FireEye) and was distributed via SolarWinds’ auto-update mechanism to approximately 18,000 customers, including the U.S. Treasury, US NTIA, and the U.S. Department of Homeland Security.
As part of a coordinated disclosure with Microsoft and SolarWinds, FireEye released a report on Sunday with an analysis of the supply chain attack and how the Sunburst backdoor operates. This research revealed that the Sunburst backdoor would connect to a command and control (C2) server at a subdomain of avsvmcloud[.]com to receive ‘jobs’, or commands to execute.
Source: Bleeping Computer