Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform and had their internal systems infected with the Sunburst malware.
ZDNet Recommends
The best VPNs for 2021
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More
The list includes the names of tech companies, local governments, universities, hospitals, banks, and telecom providers.
The biggest names on this list include the likes of Cisco, Intel, Cox Communications, Deloitte, Nvidia, Optimizely, and Digital Sense.
MediaTek, one of the world’s largest semiconductor companies, is also believed to have been impacted; although, security researchers aren’t 100% on its inclusion on their lists just yet.
Cracking the Sunburst subdomain mysteries
The way security researchers compiled these lists was by reverse-engineering the Sunburst (aka Solorigate) malware.
For ZDNet readers learning of the Sunburst malware for the first time, this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.
The boobytrapped updates planted the Sunburst malware deep inside the internal networks of many companies and government organizations which relied on the Orion app to monitor and keep inventories of internal IT systems.
According to deep-dive reports published last week by Microsoft, FireEye, McAfee, Symantec, Kaspersky, and US Cybersecurity and Infrastructure Security Agency (CISA), on infected systems, the malware would gather information about the victim company’s network, wait 12 to 14 days, and then send the data to a remote command and control server (C&C).
The hackers — believed to be a Russian state-sponsored group — would then analyze the data they received and escalated attacks only on networks that were of interest to their intelligence gathering goals.
Last week, SolarWinds admitted to the hack and said that based on internal telemetry, almost 18,000 of its 300,000 customers downloaded versions of the Orion platform that contained the Sunburst malware.
Initially, it was thought that only SolarWinds would be able to identify and notify all the impacted organizations. However, as security researchers kept analyzing Sunburst’s inner-workings, they also discovered some quirks in the malware’s operations, namely in the way the malware pinged its C&C server.
According to research published last week, Sunburst would send the data it collected from an infected network to a C&C server URL that was unique per victim.
This unique URL was a subdomain for avsvmcloud[.]com and contained four parts, where the first part was a random-looking string. But security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.
Since last week, several security firms and independent researchers have been sifting through historical web traffic and passive DNS data to collect information on traffic going to the avsvmcloud[.]com domain, crack the subdomains and then track down companies that installed a trojanized SolarWinds Orion app — and had the Sunburst malware beaconing from inside their networks back to the attackers’ server (now sinkholed thanks to Microsoft and FireEye).
A growing list of first-stage and second-stage victims
Chinese security firm TrueSec, security researcher Dewan Chowdhury, and Chinese security firm QiAnXin are among the several who have now published lists of Sunburst-infected organizations or tools to decode the avsvmcloud[.]com subdomains.
Companies like Cisco and Intel have formally confirmed they got infected in interviews with reporters over the weekend. Both companies have said they found no evidence that the hackers escalated access to deliver second-stage payloads on their systems.
VMWare and Microsoft, whose names were not on these public lists, also confirmed they installed trojanized Orion updates on their internal networks but also specified that they also did not find any evidence of escalation from the attackers.
However, the hackers did escalate their attacks on the networks of some of their targets. In an interview on Friday, FireEye CEO Kevin Mandia, whose company discovered the SolarWinds hack when investigating a breach of its internal systems, said that hackers, despite infecting almost 18,000 networks, only escalated access to around 50 targets, based on FireEye’s visibility.
In a separate report, also published on Friday, Microsoft also said it identified 40 of its own customers that had installed infected Orion apps and where attackers escalated access.
“Escalation” usually happened when the avsvmcloud[.]com C&C server replied to an infected company with a very specific DNS response that contained a special CNAME field.
This special DNS CNAME field contained the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware.
Currently, the only publicly known company where hackers escalated access is FireEye, whose breach response helped uncover the entire SolarWinds hack.
Making the difference between the two (a simple Sunburst infection and escalation) is crucial for incident responders. In the first case, they might only need to remove the Sunburst malware, while in the second, they might need to review logs to identify what internal systems hackers escalated access to and what data was stolen from their networks.
Several security researchers have told ZDNet today that a large part of the cybersecurity community is now working with content delivery networks, internet service providers, and other internet companies to collect passive DNS data and hunt down traffic to and from the avsvmcloud[.]com domain in order to identify other victims where attackers escalated access.
Below is a table compiled by security firm Truesec with the decoded internal domain names of some of the SolarWinds victims.
Decoded Internal NamePossible Organization
(may be inaccurate)*Response Address FamilyCommandFirst Seen mnh.rg-law.ac.il College of Law and Business,
Israel NetBios HTTP Backdoor 2020-05-26 ad001.mtk.lo Mediatek NetBios HTTP Backdoor 2020-08-26 Aeria
NetBios HTTP Backdoor 2020-06-26 Ameri
NetBios HTTP Backdoor 2020-08-02 ank.com Ankcom Communications NetBios HTTP Backdoor 2020-06-06 azlcyy
NetBios HTTP Backdoor 2020-08-07 banccentral.com BancCentral Financial
Services Corp. NetBios HTTP Backdoor 2020-07-03 barrie.ca City of Barrie NetBios HTTP Backdoor 2020-05-13 BCC.l
NetBios HTTP Backdoor 2020-08-22 bhq.lan
NetBios HTTP Backdoor 2020-08-18 cds.capilanou. Capilano University NetBios HTTP Backdoor 2020-08-27 Centr
NetBios HTTP Backdoor 2020-06-24 chc.dom
NetBios HTTP Backdoor 2020-08-04 christieclinic. Christie Clinic Telehealth NetBios HTTP Backdoor 2020-04-22 CIMBM
NetBios HTTP Backdoor 2020-09-25 CIRCU
NetBios HTTP Backdoor 2020-05-30 CONSO
NetBios HTTP Backdoor 2020-06-17 corp.ptci.com Pioneer Telephone
Scholarship Recipients NetBios HTTP Backdoor 2020-06-19 corp.stingraydi Stingray (Media and
entertainment) NetBios HTTP Backdoor 2020-06-10 corp.stratusnet Stratus Networks NetBios HTTP Backdoor 2020-04-28 cosgroves.local Cosgroves (Building services
consulting) NetBios HTTP Backdoor 2020-08-25 COTES Cotes (Humidity Management) NetBios HTTP Backdoor 2020-07-25 csnt.princegeor City of Prince George NetBios HTTP Backdoor 2020-09-18 cys.local CYS Group (Marketing analytics) NetBios HTTP Backdoor 2020-07-10 digitalsense.co Digital Sense (Cloud Services) NetBios HTTP Backdoor 2020-06-24 ehtuh-
NetBios HTTP Backdoor 2020-05-01 escap.org
NetBios HTTP Backdoor 2020-07-10 f.gnam
NetBios HTTP Backdoor 2020-04-04 fhc.local
NetBios HTTP Backdoor 2020-07-06 fidelitycomm.lo Fidelity Communications (ISP) NetBios HTTP Backdoor 2020-06-02 fisherbartoninc.com The Fisher Barton Group
(Blade Manufacturer) NetBios HTTP Backdoor 2020-05-15 fmtn.ad City of Farmington NetBios HTTP Backdoor 2020-07-21 FWO.I
NetBios HTTP Backdoor 2020-08-05 ggsg-us.cisco Cisco GGSG NetBios HTTP Backdoor 2020-06-24 ghsmain1.ggh.g
NetBios HTTP Backdoor 2020-06-09 gxw
NetBios HTTP Backdoor 2020-07-07 htwanmgmt.local
NetBios HTTP Backdoor 2020-07-22 ieb.go.id
NetBios HTTP Backdoor 2020-06-12 int.ncahs.net
NetBios HTTP Backdoor 2020-09-23 internal.jtl.c
NetBios HTTP Backdoor 2020-05-19 ironform.com Ironform (metal fabrication) NetBios HTTP Backdoor 2020-06-19 isi
NetBios HTTP Backdoor 2020-07-06 itps.uk.net Infection Prevention Society (IPS) NetBios HTTP Backdoor 2020-08-11 jxxyx.
NetBios HTTP Backdoor 2020-06-26 kcpl.com Kansas City Power and
Light Company NetBios HTTP Backdoor 2020-07-07 keyano.local Keyano College NetBios HTTP Backdoor 2020-06-03 khi0kl
NetBios HTTP Backdoor 2020-08-26 lhc_2f
NetBios HTTP Backdoor 2020-04-18 lufkintexas.net Lufkin (City in Texas) NetBios HTTP Backdoor 2020-07-07 magnoliaisd.loc Magnolia Independent
School District NetBios HTTP Backdoor 2020-06-01 MOC.l
NetBios HTTP Backdoor 2020-04-30 moncton.loc City of Moncton NetBios HTTP Backdoor 2020-08-25 mountsinai.hosp Mount Sinai Hospital NetBios HTTP Backdoor 2020-07-02 netdecisions.lo Netdecisions (IT services) NetBios HTTP Backdoor 2020-10-04 newdirections.k
NetBios HTTP Backdoor 2020-04-21 nswhealth.net NSW Health NetBios HTTP Backdoor 2020-06-12 nzi_9p
NetBios HTTP Backdoor 2020-08-04 city.kingston.on.ca City of Kingston,
Ontario, Canada NetBios HTTP Backdoor 2020-06-15 dufferincounty.on.ca Dufferin County,
Ontario, Canada NetBios HTTP Backdoor 2020-07-17 osb.local
NetBios HTTP Backdoor 2020-04-28 oslerhc.org William Osler Health System NetBios HTTP Backdoor 2020-07-11 pageaz.gov City of Page NetBios HTTP Backdoor 2020-04-19 pcsco.com Professional Computer Systems NetBios HTTP Backdoor 2020-07-23 pkgix_
NetBios HTTP Backdoor 2020-07-15 pqcorp.com PQ Corporation NetBios HTTP Backdoor 2020-07-02 prod.hamilton. Hamilton Company NetBios HTTP Backdoor 2020-08-19 resprod.com Res Group (Renewable
energy company) NetBios HTTP Backdoor 2020-05-06 RPM.l
NetBios HTTP Backdoor 2020-05-28 sdch.local South Davis
Community Hospital NetBios HTTP Backdoor 2020-05-18 servitia.intern
NetBios HTTP Backdoor 2020-06-16 sfsi.stearnsban Stearns Bank NetBios HTTP Backdoor 2020-08-02 signaturebank.l Signature Bank NetBios HTTP Backdoor 2020-06-25 sm-group.local SM Group (Distribution) NetBios HTTP Backdoor 2020-07-07 te.nz TE Connectivity (Sensor
manufacturer) NetBios HTTP Backdoor 2020-05-13 thx8xb
NetBios HTTP Backdoor 2020-06-16 tx.org
NetBios HTTP Backdoor 2020-07-15 usd373.org Newton Public Schools NetBios HTTP Backdoor 2020-08-01 uzq
NetBios HTTP Backdoor 2020-10-02 ville.terrebonn Ville de Terrebonne NetBios HTTP Backdoor 2020-08-02 wrbaustralia.ad W. R. Berkley Insurance Australia NetBios HTTP Backdoor 2020-07-11 ykz
NetBios HTTP Backdoor 2020-07-11 2iqzth
ImpLink Enum processes 2020-06-17 3if.2l 3IF (Industrial Internet) ImpLink Enum processes 2020-08-20 airquality.org Sacramento Metropolitan
Air Quality Management District ImpLink Enum processes 2020-08-09 ansc.gob.pe GOB (Digital Platform of
the Peruvian State) ImpLink Enum processes 2020-07-25 bcofsa.com.ar Banco de Formosa ImpLink Enum processes 2020-07-13 bi.corp
ImpLink Enum processes 2020-12-14 bop.com.pk The Bank of Punjab ImpLink Enum processes 2020-09-18 camcity.local
ImpLink Enum processes 2020-08-07 cow.local
ImpLink Enum processes 2020-06-13 deniz.denizbank DenizBank ImpLink Enum processes 2020-11-14 ies.com IES Communications
(Communications technology) ImpLink Enum processes 2020-06-11 insead.org INSEAD Business School ImpLink Enum processes 2020-11-07 KS.LO
ImpLink Enum processes 2020-07-10 mixonhill.com Mixon Hill (intelligent
transportation systems) ImpLink Enum processes 2020-04-29 ni.corp.natins
ImpLink Enum processes 2020-10-24 phabahamas.org Public Hospitals Authority,
Caribbean ImpLink Enum processes 2020-11-05 rbe.sk.ca Regina Public Schools ImpLink Enum processes 2020-08-20 spsd.sk.ca Saskatoon Public Schools ImpLink Enum processes 2020-06-12 yorkton.cofy Community Options for
Families & Youth ImpLink Enum processes 2020-05-08 .sutmf
Ipx Update config 2020-06-25 atg.local
No Match Unknown 2020-05-11 bisco.int Bisco International
(Adhesives and tapes) No Match Unknown 2020-04-30 ccscurriculum.c
No Match Unknown 2020-04-18 e-idsolutions. IDSolutions (video conferencing) No Match Unknown 2020-07-16 ETC1.
No Match Unknown 2020-08-01 gk5
No Match Unknown 2020-07-09 grupobazar.loca
No Match Unknown 2020-06-07 internal.hws.o
No Match Unknown 2020-05-23 n2k
No Match Unknown 2020-07-12 publiser.it
No Match Unknown 2020-07-05 us.deloitte.co Deloitte No Match Unknown 2020-07-08 ush.com
No Match Unknown 2020-06-15 xijtt-
No Match Unknown 2020-07-21 xnet.kz X NET (IT provider in Kazakhstan) No Match Unknown 2020-06-09 zu0
No Match Unknown 2020-08-13 staff.technion.ac.il
N/A N/A N/A digitalreachinc.com
N/A N/A N/A orient-express.com
N/A N/A N/A tr.technion.ac.il
N/A N/A N/A lasers.state.la.us
N/A N/A N/A ABLE.
N/A N/A N/A abmuh_
N/A N/A N/A acmedctr.ad
N/A N/A N/A ad.azarthritis.com
N/A N/A N/A ad.library.ucla.edu
N/A N/A N/A ad.optimizely.
N/A N/A N/A admin.callidusc
N/A N/A N/A aerioncorp.com
N/A N/A N/A agloan.ads
N/A N/A N/A ah.org
N/A N/A N/A AHCCC
N/A N/A N/A allegronet.co.
N/A N/A N/A alm.brand.dk
N/A N/A N/A amalfi.local
N/A N/A N/A americas.phoeni
N/A N/A N/A amr.corp.intel
N/A N/A N/A apu.mn
N/A N/A N/A ARYZT
N/A N/A N/A b9f9hq
N/A N/A N/A BE.AJ
N/A N/A N/A belkin.com
N/A N/A N/A bk.local
N/A N/A N/A bmrn.com
N/A N/A N/A bok.com
N/A N/A N/A btb.az
N/A N/A N/A c4e-internal.c
N/A N/A N/A calsb.org
N/A N/A N/A casino.prv
N/A N/A N/A cda.corp
N/A N/A N/A central.pima.g
N/A N/A N/A cfsi.local
N/A N/A N/A ch.local
N/A N/A N/A ci.dublin.ca.
N/A N/A N/A cisco.com
N/A N/A N/A corp.dvd.com
N/A N/A N/A corp.sana.com
N/A N/A N/A Count
N/A N/A N/A COWI.
N/A N/A N/A coxnet.cox.com
N/A N/A N/A CRIHB
N/A N/A N/A cs.haystax.loc
N/A N/A N/A csa.local
N/A N/A N/A csci-va.com
N/A N/A N/A csqsxh
N/A N/A N/A DCCAT
N/A N/A N/A deltads.ent
N/A N/A N/A detmir-group.r
N/A N/A N/A dhhs-
N/A N/A N/A dmv.state.nv.
N/A N/A N/A dotcomm.org
N/A N/A N/A DPCIT
N/A N/A N/A dskb2x
N/A N/A N/A e9.2pz
N/A N/A N/A ebe.co.roanoke.va.us
N/A N/A N/A ecobank.group
N/A N/A N/A ecocorp.local
N/A N/A N/A epl.com
N/A N/A N/A fremont.lamrc.
N/A N/A N/A FSAR.
N/A N/A N/A ftfcu.corp
N/A N/A N/A gksm.local
N/A N/A N/A gloucesterva.ne
N/A N/A N/A glu.com
N/A N/A N/A gnb.local
N/A N/A N/A gncu.local
N/A N/A N/A gsf.cc
N/A N/A N/A gyldendal.local
N/A N/A N/A helixwater.org
N/A N/A N/A hgvc.com
N/A N/A N/A ia.com
N/A N/A N/A inf.dc.net
N/A N/A N/A ingo.kg
N/A N/A N/A innout.corp
N/A N/A N/A int.lukoil-international.uz
N/A N/A N/A intensive.int
N/A N/A N/A ions.com
N/A N/A N/A its.iastate.ed
N/A N/A N/A jarvis.lab
N/A N/A N/A -jlowd
N/A N/A N/A jn05n8
N/A N/A N/A jxb3eh
N/A N/A N/A k.com
N/A N/A N/A LABEL
N/A N/A N/A milledgeville.l
N/A N/A N/A nacr.com
N/A N/A N/A ncpa.loc
N/A N/A N/A neophotonics.co
N/A N/A N/A net.vestfor.dk
N/A N/A N/A nih.if
N/A N/A N/A nvidia.com
N/A N/A N/A on-pot
N/A N/A N/A ou0yoy
N/A N/A N/A paloverde.local
N/A N/A N/A pl8uw0
N/A N/A N/A q9owtt
N/A N/A N/A rai.com
N/A N/A N/A rccf.ru
N/A N/A N/A repsrv.com
N/A N/A N/A ripta.com
N/A N/A N/A roymerlin.com
N/A N/A N/A rs.local
N/A N/A N/A rst.atlantis-pak.ru
N/A N/A N/A sbywx3
N/A N/A N/A sc.pima.gov
N/A N/A N/A scif.com
N/A N/A N/A SCMRI
N/A N/A N/A scroot.com
N/A N/A N/A seattle.interna
N/A N/A N/A securview.local
N/A N/A N/A SFBAL
N/A N/A N/A SF-Li
N/A N/A N/A siskiyous.edu
N/A N/A N/A sjhsagov.org
N/A N/A N/A Smart
N/A N/A N/A smes.org
N/A N/A N/A sos-ad.state.nv.us
N/A N/A N/A sro.vestfor.dk
N/A N/A N/A superior.local
N/A N/A N/A swd.local
N/A N/A N/A ta.org
N/A N/A N/A taylorfarms.com
N/A N/A N/A thajxq
N/A N/A N/A thoughtspot.int
N/A N/A N/A tsyahr
N/A N/A N/A tv2.local
N/A N/A N/A uis.kent.edu
N/A N/A N/A uncity.dk
N/A N/A N/A uont.com
N/A N/A N/A viam-invenient
N/A N/A N/A vms.ad.varian.com
N/A N/A N/A vsp.com
N/A N/A N/A WASHO
N/A N/A N/A weioffice.com
N/A N/A N/A wfhf1.hewlett.
N/A N/A N/A woodruff-sawyer
N/A N/A N/A HQ.RE-wwgi2xnl
N/A N/A N/A xdxinc.net
N/A N/A N/A y9k.in
N/A N/A N/A zeb.i8
N/A N/A N/A zippertubing.co
N/A N/A N/A
undefined