An anonymous reader quotes a report from ZDNet: Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter. The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app. SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com. According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company's network. Earlier today, a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession. Sources familiar with today's actions described the takedown as "protective work" done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers.

Read more of this story at Slashdot.

Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card. From a report: Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems. [...] At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through. Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz). In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal. This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more. Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.

Read more of this story at Slashdot.

An anonymous reader shares a report: On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm. There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call. "We don't think anyone else in the market is really even close in terms of the breadth of coverage we have," he said. "We manage everyone's network gear." Now that dominance has become a liability -- an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers. On Monday, SolarWinds confirmed that Orion -- its flagship network management software -- had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers. [...] Cybersecurity experts across government and private industry are still struggling to understand the scope of the damage, which some are already calling one of the most consequential breaches in recent memory. [...] Experts are reviewing their notes to find old examples of substandard security at the company. Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds' update server by using the password "solarwinds123" "This could have been done by any attacker, easily," Kumar said. Others -- including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress -- noticed that, even days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

Read more of this story at Slashdot.

IT software provider SolarWinds downplayed a recent security breach in documents filed with the US Securities and Exchange Commission on Monday. From a report: SolarWinds disclosed on Sunday that a nation-state hacker group breached its network and inserted malware in updates for Orion, a software application for IT inventory management and monitoring. Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory. The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers. But while initial news reports on Sunday suggested that all of SolarWinds' customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update. The company said it notified all its 33,000 Orion customers on Sunday, even if they didn't install the trojanized Orion update, with information about the hack and mitigation steps they could take.

Read more of this story at Slashdot.