OpenText™ has been following the SolarWinds Sunburst attack campaign closely since it was disclosed on December 13, 2020.
To help reduce the risk to our customers, we continue to proactively review our systems to assess any potential impact of the issues described in the SolarWinds Security Advisory.
As part of Webroot® BrightCloud® Threat Intelligence, we were able to ensure the reported indicators of compromise (IOCs) including URLs, IP addresses, and file hashes were marked as threats in our databases within 24 hours of being shared with the broader security community. This means our network of BrightCloud Threat Intelligence partners, our Webroot MSP partners and our Webroot end users are protected against these known malicious IOCs. Webroot Secure Anywhere is positioned to quarantine known malicious file hashes for removal.
On December 14, Microsoft sinkholed the main C2 server used for communications for the threat campaign, "avsvmcloud[.]com". Following our sinkhole policy, we have updated the category for this domain from Malware to Computer Security to support the killswitch operation running on this domain. Other malicious domains associated with the campaign will still be marked as Malware.
Our threat analysts will continue to track newly revealed information about the attack campaign as well as carry out internal investigation of additional potential IOCs through contextual analysis. We are committed to ensuring that our customers and partners continue to be protected from any residual effects from the attack campaign.
For more information, contact your local Customer Support office.