Threat actors compromised the IT monitoring and management software of organizations including SolarWinds’s Orion, Intel, Cisco, Nvidia.
Trojanized version of SolarWinds
SolarWinds is a software company that primarily deals in systems management tools used by IT professionals
Over 100 to 280 organizations installed a trojanized version of the SolarWinds Orion platform that infects internal systems with the Sunburst malware.
Importantly, tech companies under category — local governments, universities, hospitals, banks, and telecom providers.
In addition, the biggest organizations that falls under the above category on includes:
| Cisco | Belkin |
| SAP | Amerisafe |
| Intel | Lukoil |
| Cox Communications | Rakuten |
| Deloitte | Check Point |
| Nvidia | Optimizely |
| Fujitsu | Digital Reach and Digital Sense |
SUNBURST Malware — Subdomains
According to a SANS report, It is known that the malware was deployed as an update from SolarWinds’ own servers and was digitally signed by a valid digital certificate bearing their name
- This strongly points to a supply chain attack
- The certificate was issued by Symantec — Serial Number: 0fe973752022a606adf2a36e345dc0ed
The way security researchers compiled these lists was by reverse-engineering the Sunburst (aka Solorigate) malware.
However, it is found that this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.
According to report by multiple security researchers, on infected systems —
- the malware would gather information about the victim company’s network
- wait for 12 to 14 days
- and then send the data to a remote command and control server (C&C).
Post Compromise Attack:
FireEye has uncovered a widespread campaign, tracking as UNC2452.
After gaining initial access, the attacker uses a variety of techniques to disguise their operations.
Importantly, unique URL researchers identified subdomain — avsvmcloud[.]com and contained four parts, where the first part was a random-looking string.
But, security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.
Detection & Mitigations:
A growing list of First-stage and Second-stage victims are getting high, including companies like Cisco, Intel, VMware, Microsoft that have formally confirmed they got infected.
“Escalation” usually happened when the avsvmcloud[.]com C&C server replied to an infected company with a very specific DNS response that contained a special CNAME field.
Moreover, the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware, can be found in special DNS CNAME field.
Check for the below IOC’s in your environment.
Indicator’s of Compromise
IP address:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 224.0.0.0/3
- fc00:: – fe00::
- fec0:: – ffc0::
- ff00:: – ff00::
- 20.140.0.0/15
- 96.31.172.0/24
- 131.228.12.0/22
- 144.86.226.0/24
Hash Value:
| Malware | 02af7cec58b9a5da1c542b5a32151ba1 | UNC2452 Campaign |
| Malware | 08e35543d6110ed11fdf558bb093d401 | UNC2452 Campaign |
| Malware | 2c4a910a1299cdae2a4e55988a2f102e | UNC2452 Campaign |
| Malware | 4f2eb62fa529c0283b28d05ddd311fae | UNC2452 Campaign |
| Malware | 56ceb6d0011d87b6e4d7023d7ef85676 | UNC2452 Campaign |
| Malware | 846e27a652a5e1bfbd0ddd38a16dc865 | UNC2452 Campaign |
| Malware | b91ce2fa41029f6955bff20079468448 | UNC2452 Campaign |
| Malware | 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 | UNC2452 Campaign |
| Malware | 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 | UNC2452 Campaign |
| Malware | 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 | UNC2452 Campaign |
| Malware | 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 | UNC2452 Campaign |
| Malware | c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 | UNC2452 Campaign |
| Malware | ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 | UNC2452 Campaign |
| Malware | d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 | UNC2452 Campaign |
| Malware | 1b476f58ca366b54f34d714ffce3fd73cc30db1a | UNC2452 Campaign |
| Malware | 2f1a5a7411d015d01aaee4535835400191645023 | UNC2452 Campaign |
| Malware | 47d92d49e6f7f296260da1af355f941eb25360c4 | UNC2452 Campaign |
| Malware | 75af292f34789a1c782ea36c7127bf6106f595e8 | UNC2452 Campaign |
| Malware | 76640508b1e7759e548771a5359eaed353bf1eec | UNC2452 Campaign |
| Malware | c2c30b3a287d82f88753c85cfb11ec9eb1466bad | UNC2452 Campaign |
| Malware | d130bd75645c2433f88ac03e73395fba172ef676 | UNC2452 Campaign |
Domain Names:
| avsvmcloud.com | UNC2452 Campaign |
| databasegalore.com | UNC2452 Campaign |
| deftsecurity.com | UNC2452 Campaign |
| freescanonline.com | UNC2452 Campaign |
| highdatabase.com | UNC2452 Campaign |
| incomeupdate.com | UNC2452 Campaign |
| panhardware.com | UNC2452 Campaign |
| thedoccloud.com | UNC2452 Campaign |
| websitetheme.com | UNC2452 Campaign |
| zupertech.com | UNC2452 Campaign |
Host Names:
| appsync-api.eu-west-1.avsvmcloud.com | UNC2452 Campaign |
| appsync-api.us-east-1.avsvmcloud.com | UNC2452 Campaign |
| appsync-api.us-east-2.avsvmcloud.com | UNC2452 Campaign |
| appsync-api.us-west-2.avsvmcloud.com | UNC2452 Campaign |
| 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com | UNC2452 Campaign |
| 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com | UNC2452 Campaign |
| gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com | UNC2452 Campaign |
| ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com | UNC2452 Campaign |
| k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com | UNC2452 Campaign |
| mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com | UNC2452 Campaign |
Leave A Comment