in

Partial lists of organizations infected with Sunburst malware released online

Image: NASA

Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform and had their internal systems infected with the Sunburst malware.

ZDNet Recommends

The best VPNs for 2021

VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.

Read More

The list includes the names of tech companies, local governments, universities, hospitals, banks, and telecom providers.

The biggest names on this list include the likes of Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.

MediaTek, one of the world’s largest semiconductor companies, is also believed to have been impacted; although, security researchers aren’t 100% on its inclusion on their lists just yet.

Cracking the Sunburst subdomain mysteries

The way security researchers compiled these lists was by reverse-engineering the Sunburst (aka Solorigate) malware.

For ZDNet readers learning of the Sunburst malware for the first time, this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.

The boobytrapped updates planted the Sunburst malware deep inside the internal networks of many companies and government organizations which relied on the Orion app to monitor and keep inventories of internal IT systems.

According to deep-dive reports published last week by Microsoft, FireEye, McAfee, Symantec, Kaspersky, and US Cybersecurity and Infrastructure Security Agency (CISA), on infected systems, the malware would gather information about the victim company’s network, wait 12 to 14 days, and then send the data to a remote command and control server (C&C).

The hackers — believed to be a Russian state-sponsored group — would then analyze the data they received and escalated attacks only on networks that were of interest to their intelligence gathering goals.

Image: Microsoft

Last week, SolarWinds admitted to the hack and said that based on internal telemetry, almost 18,000 of its 300,000 customers downloaded versions of the Orion platform that contained the Sunburst malware.

Initially, it was thought that only SolarWinds would be able to identify and notify all the impacted organizations. However, as security researchers kept analyzing Sunburst’s inner-workings, they also discovered some quirks in the malware’s operations, namely in the way the malware pinged its C&C server.

According to research published last week, Sunburst would send the data it collected from an infected network to a C&C server URL that was unique per victim.

This unique URL was a subdomain for avsvmcloud[.]com and contained four parts, where the first part was a random-looking string. But security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.

Image: Microsoft

Since last week, several security firms and independent researchers have been sifting through historical web traffic and passive DNS data to collect information on traffic going to the avsvmcloud[.]com domain, crack the subdomains and then track down companies that installed a trojanized SolarWinds Orion app — and had the Sunburst malware beaconing from inside their networks back to the attackers’ server (now sinkholed thanks to Microsoft and FireEye).

A growing list of first-stage and second-stage victims

Cybersecurity firms TrueSec and Prevasio, security researcher Dewan Chowdhury, and Chinese security firm QiAnXin are among the several who have now published lists of Sunburst-infected organizations or tools to decode the avsvmcloud[.]com subdomains.

Companies like Cisco and Intel have formally confirmed they got infected in interviews with reporters over the weekend. Both companies have said they found no evidence that the hackers escalated access to deliver second-stage payloads on their systems.

VMWare and Microsoft, whose names were not on these public lists, also confirmed they installed trojanized Orion updates on their internal networks but also specified that they also did not find any evidence of escalation from the attackers.

However, the hackers did escalate their attacks on the networks of some of their targets. In an interview on Friday, FireEye CEO Kevin Mandia, whose company discovered the SolarWinds hack when investigating a breach of its internal systems, said that hackers, despite infecting almost 18,000 networks, only escalated access to around 50 targets, based on FireEye’s visibility.

In a separate report, also published on Friday, Microsoft also said it identified 40 of its own customers that had installed infected Orion apps and where attackers escalated access.

“Escalation” usually happened when the avsvmcloud[.]com C&C server replied to an infected company with a very specific DNS response that contained a special CNAME field.

This special DNS CNAME field contained the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware.

Currently, the only publicly known company where hackers escalated access is FireEye, whose breach response helped uncover the entire SolarWinds hack.

Making the difference between the two (a simple Sunburst infection and escalation) is crucial for incident responders. In the first case, they might only need to remove the Sunburst malware, while in the second, they might need to review logs to identify what internal systems hackers escalated access to and what data was stolen from their networks.

Several security researchers have told ZDNet today that a large part of the cybersecurity community is now working with content delivery networks, internet service providers, and other internet companies to collect passive DNS data and hunt down traffic to and from the avsvmcloud[.]com domain in order to identify other victims where attackers escalated access.

Below is a table compiled by security firm Truesec with the decoded internal domain names of some of the SolarWinds victims.

Decoded Internal NamePossible Organization(may be inaccurate)*Response Address FamilyCommandFirst Seen
mnh.rg-law.ac.ilCollege of Law and Business,IsraelNetBiosHTTP Backdoor2020-05-26
ad001.mtk.loMediatekNetBiosHTTP Backdoor2020-08-26
AeriaNetBiosHTTP Backdoor2020-06-26
AmeriNetBiosHTTP Backdoor2020-08-02
ank.comAnkcom CommunicationsNetBiosHTTP Backdoor2020-06-06
azlcyyNetBiosHTTP Backdoor2020-08-07
banccentral.comBancCentral FinancialServices Corp.NetBiosHTTP Backdoor2020-07-03
barrie.caCity of BarrieNetBiosHTTP Backdoor2020-05-13
BCC.lNetBiosHTTP Backdoor2020-08-22
bhq.lanNetBiosHTTP Backdoor2020-08-18
cds.capilanou.Capilano UniversityNetBiosHTTP Backdoor2020-08-27
CentrNetBiosHTTP Backdoor2020-06-24
chc.domNetBiosHTTP Backdoor2020-08-04
christieclinic.Christie Clinic TelehealthNetBiosHTTP Backdoor2020-04-22
CIMBMNetBiosHTTP Backdoor2020-09-25
CIRCUNetBiosHTTP Backdoor2020-05-30
CONSONetBiosHTTP Backdoor2020-06-17
corp.ptci.comPioneer TelephoneScholarship RecipientsNetBiosHTTP Backdoor2020-06-19
corp.stingraydiStingray (Media andentertainment)NetBiosHTTP Backdoor2020-06-10
corp.stratusnetStratus NetworksNetBiosHTTP Backdoor2020-04-28
cosgroves.localCosgroves (Building servicesconsulting)NetBiosHTTP Backdoor2020-08-25
COTESCotes (Humidity Management)NetBiosHTTP Backdoor2020-07-25
csnt.princegeorCity of Prince GeorgeNetBiosHTTP Backdoor2020-09-18
cys.localCYS Group (Marketing analytics)NetBiosHTTP Backdoor2020-07-10
digitalsense.coDigital Sense (Cloud Services)NetBiosHTTP Backdoor2020-06-24
ehtuh-NetBiosHTTP Backdoor2020-05-01
escap.orgNetBiosHTTP Backdoor2020-07-10
f.gnamNetBiosHTTP Backdoor2020-04-04
fhc.localNetBiosHTTP Backdoor2020-07-06
fidelitycomm.loFidelity Communications (ISP)NetBiosHTTP Backdoor2020-06-02
fisherbartoninc.comThe Fisher Barton Group(Blade Manufacturer)NetBiosHTTP Backdoor2020-05-15
fmtn.adCity of FarmingtonNetBiosHTTP Backdoor2020-07-21
FWO.INetBiosHTTP Backdoor2020-08-05
ggsg-us.ciscoCisco GGSGNetBiosHTTP Backdoor2020-06-24
ghsmain1.ggh.gNetBiosHTTP Backdoor2020-06-09
gxwNetBiosHTTP Backdoor2020-07-07
htwanmgmt.localNetBiosHTTP Backdoor2020-07-22
ieb.go.idNetBiosHTTP Backdoor2020-06-12
int.ncahs.netNetBiosHTTP Backdoor2020-09-23
internal.jtl.cNetBiosHTTP Backdoor2020-05-19
ironform.comIronform (metal fabrication)NetBiosHTTP Backdoor2020-06-19
isiNetBiosHTTP Backdoor2020-07-06
itps.uk.netInfection Prevention Society (IPS)NetBiosHTTP Backdoor2020-08-11
jxxyx.NetBiosHTTP Backdoor2020-06-26
kcpl.comKansas City Power andLight CompanyNetBiosHTTP Backdoor2020-07-07
keyano.localKeyano CollegeNetBiosHTTP Backdoor2020-06-03
khi0klNetBiosHTTP Backdoor2020-08-26
lhc_2fNetBiosHTTP Backdoor2020-04-18
lufkintexas.netLufkin (City in Texas)NetBiosHTTP Backdoor2020-07-07
magnoliaisd.locMagnolia IndependentSchool DistrictNetBiosHTTP Backdoor2020-06-01
MOC.lNetBiosHTTP Backdoor2020-04-30
moncton.locCity of MonctonNetBiosHTTP Backdoor2020-08-25
mountsinai.hospMount Sinai HospitalNetBiosHTTP Backdoor2020-07-02
netdecisions.loNetdecisions (IT services)NetBiosHTTP Backdoor2020-10-04
newdirections.kNetBiosHTTP Backdoor2020-04-21
nswhealth.netNSW HealthNetBiosHTTP Backdoor2020-06-12
nzi_9pNetBiosHTTP Backdoor2020-08-04
city.kingston.on.caCity of Kingston,Ontario, CanadaNetBiosHTTP Backdoor2020-06-15
dufferincounty.on.caDufferin County,Ontario, CanadaNetBiosHTTP Backdoor2020-07-17
osb.localNetBiosHTTP Backdoor2020-04-28
oslerhc.orgWilliam Osler Health SystemNetBiosHTTP Backdoor2020-07-11
pageaz.govCity of PageNetBiosHTTP Backdoor2020-04-19
pcsco.comProfessional Computer SystemsNetBiosHTTP Backdoor2020-07-23
pkgix_NetBiosHTTP Backdoor2020-07-15
pqcorp.comPQ CorporationNetBiosHTTP Backdoor2020-07-02
prod.hamilton.Hamilton CompanyNetBiosHTTP Backdoor2020-08-19
resprod.comRes Group (Renewableenergy company)NetBiosHTTP Backdoor2020-05-06
RPM.lNetBiosHTTP Backdoor2020-05-28
sdch.localSouth DavisCommunity HospitalNetBiosHTTP Backdoor2020-05-18
servitia.internNetBiosHTTP Backdoor2020-06-16
sfsi.stearnsbanStearns BankNetBiosHTTP Backdoor2020-08-02
signaturebank.lSignature BankNetBiosHTTP Backdoor2020-06-25
sm-group.localSM Group (Distribution)NetBiosHTTP Backdoor2020-07-07
te.nzTE Connectivity (Sensormanufacturer)NetBiosHTTP Backdoor2020-05-13
thx8xbNetBiosHTTP Backdoor2020-06-16
tx.orgNetBiosHTTP Backdoor2020-07-15
usd373.orgNewton Public SchoolsNetBiosHTTP Backdoor2020-08-01
uzqNetBiosHTTP Backdoor2020-10-02
ville.terrebonnVille de TerrebonneNetBiosHTTP Backdoor2020-08-02
wrbaustralia.adW. R. Berkley Insurance AustraliaNetBiosHTTP Backdoor2020-07-11
ykzNetBiosHTTP Backdoor2020-07-11
2iqzthImpLinkEnum processes2020-06-17
3if.2l3IF (Industrial Internet)ImpLinkEnum processes2020-08-20
airquality.orgSacramento MetropolitanAir Quality Management DistrictImpLinkEnum processes2020-08-09
ansc.gob.peGOB  (Digital Platform ofthe Peruvian State)ImpLinkEnum processes2020-07-25
bcofsa.com.arBanco de FormosaImpLinkEnum processes2020-07-13
bi.corpImpLinkEnum processes2020-12-14
bop.com.pkThe Bank of PunjabImpLinkEnum processes2020-09-18
camcity.localImpLinkEnum processes2020-08-07
cow.localImpLinkEnum processes2020-06-13
deniz.denizbankDenizBankImpLinkEnum processes2020-11-14
ies.comIES Communications (Communications technology)ImpLinkEnum processes2020-06-11
insead.orgINSEAD Business SchoolImpLinkEnum processes2020-11-07
KS.LOImpLinkEnum processes2020-07-10
mixonhill.comMixon Hill (intelligenttransportation systems)ImpLinkEnum processes2020-04-29
ni.corp.natinsImpLinkEnum processes2020-10-24
phabahamas.orgPublic Hospitals Authority,CaribbeanImpLinkEnum processes2020-11-05
rbe.sk.caRegina Public SchoolsImpLinkEnum processes2020-08-20
spsd.sk.caSaskatoon Public SchoolsImpLinkEnum processes2020-06-12
yorkton.cofyCommunity Options forFamilies & YouthImpLinkEnum processes2020-05-08
.sutmfIpxUpdate config2020-06-25
atg.localNo MatchUnknown2020-05-11
bisco.intBisco International(Adhesives and tapes)No MatchUnknown2020-04-30
ccscurriculum.cNo MatchUnknown2020-04-18
e-idsolutions.IDSolutions (video conferencing)No MatchUnknown2020-07-16
ETC1.No MatchUnknown2020-08-01
gk5No MatchUnknown2020-07-09
grupobazar.locaNo MatchUnknown2020-06-07
internal.hws.oNo MatchUnknown2020-05-23
n2kNo MatchUnknown2020-07-12
publiser.itNo MatchUnknown2020-07-05
us.deloitte.coDeloitteNo MatchUnknown2020-07-08
ush.comNo MatchUnknown2020-06-15
xijtt-No MatchUnknown2020-07-21
xnet.kzX NET (IT provider in Kazakhstan)No MatchUnknown2020-06-09
zu0No MatchUnknown2020-08-13
staff.technion.ac.ilN/AN/AN/A
digitalreachinc.comN/AN/AN/A
orient-express.comN/AN/AN/A
tr.technion.ac.ilN/AN/AN/A
lasers.state.la.usN/AN/AN/A
ABLE.N/AN/AN/A
abmuh_N/AN/AN/A
acmedctr.adN/AN/AN/A
ad.azarthritis.comN/AN/AN/A
ad.library.ucla.eduN/AN/AN/A
ad.optimizely.N/AN/AN/A
admin.calliduscN/AN/AN/A
aerioncorp.comN/AN/AN/A
agloan.adsN/AN/AN/A
ah.orgN/AN/AN/A
AHCCCN/AN/AN/A
allegronet.co.N/AN/AN/A
alm.brand.dkN/AN/AN/A
amalfi.localN/AN/AN/A
americas.phoeniN/AN/AN/A
amr.corp.intelN/AN/AN/A
apu.mnN/AN/AN/A
ARYZTN/AN/AN/A
b9f9hqN/AN/AN/A
BE.AJN/AN/AN/A
belkin.comN/AN/AN/A
bk.localN/AN/AN/A
bmrn.comN/AN/AN/A
bok.comN/AN/AN/A
btb.azN/AN/AN/A
c4e-internal.cN/AN/AN/A
calsb.orgN/AN/AN/A
casino.prvN/AN/AN/A
cda.corpN/AN/AN/A
central.pima.gN/AN/AN/A
cfsi.localN/AN/AN/A
ch.localN/AN/AN/A
ci.dublin.ca.N/AN/AN/A
cisco.comN/AN/AN/A
corp.dvd.comN/AN/AN/A
corp.sana.comN/AN/AN/A
CountN/AN/AN/A
COWI.N/AN/AN/A
coxnet.cox.comN/AN/AN/A
CRIHBN/AN/AN/A
cs.haystax.locN/AN/AN/A
csa.localN/AN/AN/A
csci-va.comN/AN/AN/A
csqsxhN/AN/AN/A
DCCATN/AN/AN/A
deltads.entN/AN/AN/A
detmir-group.rN/AN/AN/A
dhhs-N/AN/AN/A
dmv.state.nv.N/AN/AN/A
dotcomm.orgN/AN/AN/A
DPCITN/AN/AN/A
dskb2xN/AN/AN/A
e9.2pzN/AN/AN/A
ebe.co.roanoke.va.usN/AN/AN/A
ecobank.groupN/AN/AN/A
ecocorp.localN/AN/AN/A
epl.comN/AN/AN/A
fremont.lamrc.N/AN/AN/A
FSAR.N/AN/AN/A
ftfcu.corpN/AN/AN/A
gksm.localN/AN/AN/A
gloucesterva.neN/AN/AN/A
glu.comN/AN/AN/A
gnb.localN/AN/AN/A
gncu.localN/AN/AN/A
gsf.ccN/AN/AN/A
gyldendal.localN/AN/AN/A
helixwater.orgN/AN/AN/A
hgvc.comN/AN/AN/A
ia.comN/AN/AN/A
inf.dc.netN/AN/AN/A
ingo.kgN/AN/AN/A
innout.corpN/AN/AN/A
int.lukoil-international.uzN/AN/AN/A
intensive.intN/AN/AN/A
ions.comN/AN/AN/A
its.iastate.edN/AN/AN/A
jarvis.labN/AN/AN/A
-jlowdN/AN/AN/A
jn05n8N/AN/AN/A
jxb3ehN/AN/AN/A
k.comN/AN/AN/A
LABELN/AN/AN/A
milledgeville.lN/AN/AN/A
nacr.comN/AN/AN/A
ncpa.locN/AN/AN/A
neophotonics.coN/AN/AN/A
net.vestfor.dkN/AN/AN/A
nih.ifN/AN/AN/A
nvidia.comN/AN/AN/A
on-potN/AN/AN/A
ou0yoyN/AN/AN/A
paloverde.localN/AN/AN/A
pl8uw0N/AN/AN/A
q9owttN/AN/AN/A
rai.comN/AN/AN/A
rccf.ruN/AN/AN/A
repsrv.comN/AN/AN/A
ripta.comN/AN/AN/A
roymerlin.comN/AN/AN/A
rs.localN/AN/AN/A
rst.atlantis-pak.ruN/AN/AN/A
sbywx3N/AN/AN/A
sc.pima.govN/AN/AN/A
scif.comN/AN/AN/A
SCMRIN/AN/AN/A
scroot.comN/AN/AN/A
seattle.internaN/AN/AN/A
securview.localN/AN/AN/A
SFBALN/AN/AN/A
SF-LiN/AN/AN/A
siskiyous.eduN/AN/AN/A
sjhsagov.orgN/AN/AN/A
SmartN/AN/AN/A
smes.orgN/AN/AN/A
sos-ad.state.nv.usN/AN/AN/A
sro.vestfor.dkN/AN/AN/A
superior.localN/AN/AN/A
swd.localN/AN/AN/A
ta.orgN/AN/AN/A
taylorfarms.comN/AN/AN/A
thajxqN/AN/AN/A
thoughtspot.intN/AN/AN/A
tsyahrN/AN/AN/A
tv2.localN/AN/AN/A
uis.kent.eduN/AN/AN/A
uncity.dkN/AN/AN/A
uont.comN/AN/AN/A
viam-invenientN/AN/AN/A
vms.ad.varian.comN/AN/AN/A
vsp.comN/AN/AN/A
WASHON/AN/AN/A
weioffice.comN/AN/AN/A
wfhf1.hewlett.N/AN/AN/A
woodruff-sawyerN/AN/AN/A
HQ.RE-wwgi2xnlN/AN/AN/A
xdxinc.netN/AN/AN/A
y9k.inN/AN/AN/A
zeb.i8N/AN/AN/A
zippertubing.coN/AN/AN/A

undefined

SolarWinds Coverage


Source: Information Technologies - zdnet.com

Cryptocurrency 101: What every business needs to know

Microsoft, Google, Cisco, and others file amicus brief in support of Facebook's NSO lawsuit