Security News > 2020 > December > Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims

More information has come to light about the Sunburst backdoor that could help defenders get a better handle on the scope of the sprawling SolarWinds espionage attack.

With Sunburst embedded, the attackers have since been able to pick and choose which organizations to further penetrate.

Once implanted, Sunburst starts to communicate with a first-stage C2 by sending encoded DNS requests with information about the infected computer, so the attackers can decide whether to proceed to the next stage of infection.

If the attackers decide that an organization should be flagged for additional attention, the C2's next DNS response will include a CNAME record pointing to a second-level C2 - an process that was also flagged by FireEye, with samples.

Importantly, the use of DNS requests can allow researchers to better identify victims of the attack, Raiu noted: "Knowing that the DNS requests generated by Sunburst encode some of the target's information, the obvious next step would be to extract that information to find out who the victims are."

News URL

https://threatpost.com/sunburst-c2-secrets-rsolarwinds-victims/162426/