If SUNBURST now attempts to connect to its C2 coordinator using a subdomain of avsvmcloudcom, the kill-switch will be activated instead. Investigating the SUNBURST Compromise 🔗︎Īfter being discovered, Microsoft has taken over the domain used by SUNBURST-avsvmcloudcom-and resolved it to 20.140.01. The sophisticated attack affected public and private organizations-18,000 SolarWinds customers, including almost all Fortune 500 companies, government agencies, and government contractors-since as early as Spring 2020 and has resulted in network lateral movement and data theft by adversaries.
In December 2020, cyber threat analysis company FireEye discovered a global supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute the malware named SUNBURST.
