In a joint effort Microsoft together with industry partners seized and sinkholed a key domain (avsvmcloud[.]com) used in SolarWinds supply-chain attack to deliver trojanized Orion updates to SolarWinds customers, ZDNet reported citing sources familiar with the matter.

The SolarWinds hack became public over the weekend after the cybersecurity vendor FireEye published a report detailing the attack. Multiple US government entities are believed to have been affected by this campaign, including the US Treasury Department, the US Department of Commerce's National Telecommunications and Information Administration (NTIA), the Department of Health's National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), the US Department of State, as well as FireEye itself. In case of the cybersecurity company hackers made off with the FireEye Red Team’s tools that included scripts, scanners, and techniques that mimic the behavior of multiple cyber threat actors.

In a security advisory SolarWinds said that the hackers breached its network and inserted a backdoor called SUNBURST into updates for Orion, a software application for IT inventory management and monitoring. This backdoor allowed the attackers to deploy additional malware on the networks of SolarWinds customers. Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were affected. SolarWinds estimates that fewer than 18,000 of its customers may have had installed tainted Orion updates.

Additionally, SolarWinds released on Tuesday a second hotfix to address the above mentioned vulnerability in its Orion platform.

At present, the avsvmcloud[.]com domain redirects to an IP address owned by Microsoft, with Microsoft and its partners receiving beacons fr om all the systems wh ere the trojanized SolarWinds app has been installed, ZDNet said.

Microsoft said it will begin blocking the known malicious SolarWinds binaries starting on Wednesday, December 16 at 8:00 AM PST.

Indicators of Compromise related to the SolarWinds supply-chain attack can be found here, here, and here.