ISC StormCast for Thursday, December 17th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 17 December 2020
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, December 17th, 2020 edition of the Santernet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:14.4 | If you follow it, then you probably can't avoid the solar winds compromise, one of the critical, in the case of compromise that often has been mentioned is DNS queries. |
| 0:26.6 | One of the first thing the backdoor does when it's deployed is to reach out to a host within the ABSvMCloud.com domain. So first thing to do for you as a defender and |
| 0:41.3 | a threat hunter, of course, is to check your DNS logs for queries for this domain. Well, it turns out |
| 0:49.3 | if your infrastructure is mostly cloud-based. This may be a difficult undertaking. |
| 0:56.8 | And in today's diaries, Danielle is going over some of the options that you have available |
| 1:01.7 | here in Asia and in AWS. And, well, some of these features actually have just recently |
| 1:07.9 | become available, so unlikely that you will have DNS logs going back |
| 1:13.6 | to March, which is what you really need in this particular case. |
| 1:17.6 | Talking about Solar Winds and this AVSvvMCloud.com domain turns out that Fire Eye apparently |
| 1:26.6 | has taken possession of this particular domain name. |
| 1:30.9 | This should put an end to any additional spread of the malware because the first thing that |
| 1:37.1 | the malware apparently does is download additional code from a host name within that domain. |
| 1:44.1 | Fire Eye is pointing the host names |
| 1:46.6 | now to addresses within Microsoft's IP address space GoDaddy is the registrar at this point. |
| 1:55.9 | So if you do name resolutions of these host names today, you will end up with Microsoft IP addresses. |
| 2:03.8 | You should still look for DNS queries and outbound traffic for this particular domain name, |
| 2:11.3 | so that's still a good indicator, but don't be surprised if the connection then points to a Microsoft IP address. |
| 2:20.3 | In German Computer Magazine, Hisey has an interesting article related to Solar Winds, pointing |
| 2:27.2 | to a now no longer public support document published by SolarWinds back in 2018, requesting that customers exempt any |
| 2:38.8 | solar winds related directories from antivirus scans. This is very common and usually bad |
| 2:46.4 | advice where a vendor feels that antivirus may impact performance of their product and requests that |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.