Microsoft has taken over a domain that had previously been used by the masterminds behind the “SolarWinds” incidents to communicate with infected systems, it became known on Tuesday. Now there is more information: The said domain avsvmcloud com was converted into a kill switch by Microsoft and FireEye in cooperation with the responsible registrar GoDaddy, which is supposed to switch off the malware “Sunburst” on the systems concerned.

Sunburst can be switched off in some cases Under certain conditions Requirements and depending on the IP address that is returned to the malware when the address is resolved, the kill switch can give the “Sunburst” code the command to switch off and prevent further (probably later) execution, according to a FireEye – Statement published by IT security blogger Brian Krebs.

Sunburst was from March to June 2020 via infected updates for the network management software platform SolarWinds Orion on systems of up to 18. 000 SolarWinds customers have been funneled – including several US departments and agencies. The malware installed a backdoor there, thus enabling remote control of infected systems.

The same as yet unidentified group that had previously successfully attacked the FireEye company is said to be behind the attacks . Heise online reported several times in detail about the incidents and most recently on Wednesday yesterday:

Danger not averted, attacker still active It is clear from FireEyes ‘statement in Brian Krebs’ blog entry that the danger has not yet been averted: The kill switch works with earlier and current sunburst variants that start with avsvmcloudcom communicate and make it more difficult for malware creators to continue to use those variants to their advantage.

However, this does not necessarily make compromised networks inaccessible to them : FireEye observed that the group quickly switched to other strategies to secure permanent backdoor access.

(ovw)