Microsoft, FireEye create kill switch for SolarWinds backdoor
The kill switch follows several other moves Microsoft made against the malware, including the removal of digital certificates and quarantining the malware in Windows Defender.
After a week plagued by the SolarWinds supply chain attack, cybersecurity companies are now actively fighting back against the threat actors.
FireEye revealed on Sunday that nation-state actors had placed a backdoor in software updates for SolarWinds' Orion platform, which was used to breach the cybersecurity vendor as well as several U.S. government agencies. In response, a joint effort between Microsoft, FireEye and GoDaddy has turned the primary domain used in the SolarWinds backdoor into a kill switch for the malware, which FireEye calls "Sunburst." A FireEye spokesperson provided a statement to SearchSecurity Wednesday evening regarding the development.
"As part of FireEye's analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate," it read. "Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections."
The statement goes on to say that the kill switch "will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com." As FireEye noted, the SolarWinds attackers have other ways to access victim networks, but the kill switch makes it "more difficult for the actor to leverage the previously distributed versions of SUNBURST."
Earlier this week, KrebsonSecurity reported that the domain appeared to have changed hands to Microsoft.
Microsoft has been an active force in mitigating the impact of Sunburst, which it refers to as "Solorigate," moving Sunday to remove the digital certificates from malicious files and updating Microsoft Windows Defender to detect the malware. And on Wednesday, Microsoft took action to quarantine the malware by "blocking the known malicious SolarWinds binaries."
GreyNoise Intelligence founder Andrew Morris told SearchSecurity that he was encouraged by the news.
"It's pretty normal for malware of a certain sophistication or from a certain group of actors to have kill switches or functionality to remove themselves asynchronously. We saw this happen with WannaCry. And so, it's certainly encouraging to hear that Microsoft and FireEye have activated the kill switch. But that's all we know to be true so far. There's so much unknown that it's very, very difficult to tell how good it is or how happy we should be about that," he said.