SolarWinds: Domain Seized and Used as Kill Switch
Microsoft and a group of other tech companies have seized and sinkholed a malicious domain that was being used as a command-and-control server to communicate with networks infected through the SolarWinds supply chain attack. The domain has been reconfigured so that in some cases, it acts as a kill switch, preventing the SUNBURST malware that was distributed through the compromised SolarWinds software update system from operating.
While this shuts down the C&C server, making it more difficult to leverage the existing SUNBURST malware distributions, the malware is still in place and still needs to be contained and eradicated. Also look for indicators of malicious activity such as credential changes and anomalous network traffic.
Read more in
KrebsOnSecurity: Malicious Domain in SolarWinds Hack Turned into 'Killswitch'
ZDNet: Microsoft and industry partners seize key domain used in SolarWinds hack
Dark Reading: FireEye Identifies Killswitch for SolarWinds Malware as Victims Scramble to Respond
Bleeping Computer: FireEye, Microsoft create kill switch for SolarWinds backdoor
Cyberscoop: FireEye, Microsoft find 'killswitch' to hamper SolarWinds-related malware
GeekWire: Microsoft unleashes 'Death Star' on SolarWinds hackers in extraordinary response to breach
ZDNet: Microsoft to quarantine SolarWinds apps linked to recent hack