Intelligence from the SolarWinds Cyberattack, which is being called Sunburst, continues to come to light as security professionals around the globe are trying to understand what happened and what the risk is to them and their clients.  With many of the answers likely to take months or longer to fully understand the scope of the attack here.

Reuters talked to the security researcher Vinoth Kumar whom reportedly alerted SolarWinds back in 2019 that anyone could access the company’s update server using the password ‘solarwinds123’, adding that this could have been done by any attacker.

Yesterday, Solarwinds released the hot fix 2020.2.1 HF2, and is encouraging all users to update as soon as possible, this was after multiple sources indicated that the initial hot fix still had code embedded for the attack.  This hot fix is for the Orion Platform, which is embedded in 18 products offered by Solarwinds.

As part of reverse engineering, researchers identified that the domain AVSVMCLOUD.com was being utilized as a control server for the attack.  Here the malware sits dormant for 12 to 14 days before calling the domain, so it may take some time to discover who is affected. FireEye found that the malware would terminate itself and prevent further execution when the IP addresses for AVSVMCLOUD.com returned some conditions, including Microsoft’s IP addresses, which is believed to be designed to prevent Microsoft from examining the malware.

Microsoft and other industry partners have seized the domain name and have begun the technique known as sinkholing to build a list and notify the victims. 

Since Sunday, the number of confirmed victims has grown and now includes:

• Cybersecurity firm FireEye
• US Treasury Department
• US Department of Commerce’s National Telecommunications and Information Administration
• Department of Health’s National Institutes of Health
• Cybersecurity and Infrastructure Agency
• Department of Homeland Security
• US Department of State

It should also be noted that in a lot of cases the cyber criminals behind this attack acted quickly and likely established persistent mechanisms to access a victim’s network beyond the Sunburst backdoor.  Microsoft has started to block the known malicious binaries already.

I would expect more information coming to light over the upcoming days and weeks, as with any cyber-attack of this magnitude there are multiple people investigating and digging into the malware.

As far as your environment goes, you should have a service that logs website traffic and you can likely use that to search for the domain AVSVMCLOUD.com, and if you get any hits then you can assume you are a victim of the Sunburst malware.

From there you want to begin your investigation and identify your risk.