In brief In an 8-K filing to the US Securities and Exchange Commission, SolarWinds has given more details on exactly how it learned its servers were spewing out malware.
The notice [PDF] says that FireEye notified the network management biz’s CEO (who had only been on the job for three days) of a serious security issue on 12 December. But by then the SUNBURST malware had already spread to around 18,000 customers.
“The vulnerability has only been identified in updates to the Orion Platform products delivered between March and June 2020, but our investigations are still ongoing,” the filing said.
“Also, while we are still investigating our non-Orion products, to date we have not seen evidence that they are impacted by SUNBURST. The vulnerability was not evident in the Orion Platform products’ source code but appears to have been inserted during the Orion software build process.”
The 12 December date could be very important to SolarWinds’ two largest shareholders. On 7 December Silver Lake and Thoma Bravo sold $286 worth of shares in the company. Those shares are now worth around 20 per cent less now than they were then, and an SEC inquiry has been mulled.
But a new report on Friday suggested that the attackers may have had access to SolarWinds’ system back in October 2019. Sources familiar with the matter said the hackers injected non-malicious files into SolarWinds’ systems, possibly as a dummy run to see if the intrusion would be detected.
Bad winds blocked, for now
Security shop FireEye, as well as other sources, have confirmed that the main malware controller being used in the SolarWinds attack has been killed off this week.
Hackers unknown, believed to be state-sponsored, have been romping through some 18,000 of SolarsWinds’ Origin customer servers using malware installed via an update server. FireEye, Microsoft and GoDaddy believe the avsvmcloud domain has been used to coordinate attacks and it’s now under Redmond’s control.
“Sunburst is the malware that was distributed through SolarWinds software. As part of FireEye’s analysis of Sunburst, we identified a killswitch that would prevent Sunburst from continuing to operate,” the company told The Reg.
“Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate Sunburst infections.”
FireEye said that the loss of the avsvmcloud domain will stop infected systems from communicating but that it isn’t a silver bullet. The team behind this hack has proved adept at installing secondary or tertiary backdoors after gaining initial access.
Mobile hackers crack Channel Island telco
Rayzone Group, an Israeli private investigations firm, has been accused of infiltrating a small UK telco.
Sure Guernsey, a mobile operator in the Channel Islands, leased an access point to its network to a third party, who, it is claimed, then let Rayzone use it. Thanks to long-standing flaws in the Signaling System 7 protocol used by network operators, this could have been used to track almost any handset in the world, intercept messages, and defeat two-factor authentication.
“Sure does not lease access to global titles directly or knowingly to organisations for the purposes of locating and tracking individuals or for intercepting communications content,” the telco told The Guardian, adding that it has since terminated the access point and is monitoring its network for suspicious behavior.
Chrome and Edge extensions infect three million
Czech security shop Avast issued a warning that up to three million Chrome and Edge users could have been infected with malware hidden in browser extensions.
“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware,” said Jan Rubín, malware researcher at Avast.
The malware is also cunning in that it shuts down its activities if it suspects the user might have noticed something, for example if they search for one of the domain names the code uses or start checking information on the extension itself.
The extensions are still live at the moment but Google and Microsoft said they are investigating.
China accused of hacking African Union with secret servers
A report from the African Union seen by Reuters suggested that a Chinese hacking group dubbed “Bronze President” set up a server farm to siphon off camera footage from the AU’s last annual summit of the continent’s leaders.
After getting a tipoff from Japan’s Computer Emergency Response Team, the AU’s staff found a cluster of servers hidden in the basement of a building on the AU’s Addis Ababa campus that were forwarding footage from meeting rooms and offices – “a huge volume of traffic”. It hid the outgoing data in normal network activity, even to the extent of slowing the flow during lunch hours.
The claims are similar to those made by Le Monde in 2018. In that instance, servers were allegedly found in the AU’s new Chinese-built conference center that were sending home copies of server activity every night. The building was also claimed to be riddled with listening devices.
“We never interfere in Africa’s internal affairs and wouldn’t do anything that harms the interests of the African side,” the Chinese mission to the AU said in a statement. ®