Researchers shared the lists of victims of SolarWinds hack

by chebbi abir

Security experts shared lists of organizations that were infected with the SolarWinds Sunburst backdoor after decoding the DGA mechanism.

Security experts started analyzing the DGA mechanism used by threat actors behind the SolarWinds hack to control the Sunburst/Solarigate backdoor and published the list of targeted organizations.

 

Researchers from multiple cybersecurity firms published a list that contains major companies, including Cisco, Deloitte, Intel, Mediatek, and Nvidia.

The researchers decoded the DGA algorithm used by the backdoor to assign a subdomain of the C2 (avsvmcloud[.]com) for each of the compromised organizations.

“Prevasio would like to thank Zetalytics for providing us with an updated (larger) list of passive (historic) DNS queries for the domains generated by the malware.” reported the analysis published by Prevasio.

Researchers from several security firms, including TrueSec, Prevasio, QiAnXin RedDrip, and Kaspersky shared the results of their analysis.

Prevasio researchers detailed the decoding process, for example considering the following address:

fivu4vjamve5vfrtn2huov[.]appsync-api.us-west-2[.]avsvmcloud[.]com

“The first part of the domain name (before the first dot) consists of a 16-character random string, appended with an encoded computer’s domain name. This is the domain in which the local computer is registered.” state the researchers.

Other major companies, including FireEye, Microsoft, and VMware also revealed to have been impacted by the SolarWinds supply chain attack.

Truesec researchers speculate that threat actors might have exfiltrated a massive amount of highly confidential information from multiple organizations. It is also highly likely that attackers compromised the software and systems of their victims.

“This list contains the decoded values of internal domain names. We can therefore only assume that they belong to an organization based on the name of the domains and publicly available information,” reads the post published by TrueSec.

“More information will be disclosed during the upcoming months but the full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”

DECODED INTERNAL NAME ORGANIZATION
(POSSIBLY INACCURATE)
RESPONSE ADDRESS FAMILY COMMAND FIRST SEEN
mnh.rg-law.ac.il College of Law and Business,
Israel
NetBios HTTP Backdoor 2020-05-26
ad001.mtk.lo Mediatek NetBios HTTP Backdoor 2020-08-26
Aeria   NetBios HTTP Backdoor 2020-06-26
Ameri   NetBios HTTP Backdoor 2020-08-02
ank.com Ankcom Communications NetBios HTTP Backdoor 2020-06-06
azlcyy   NetBios HTTP Backdoor 2020-08-07
banccentral.com BancCentral Financial
Services Corp.
NetBios HTTP Backdoor 2020-07-03
barrie.ca City of Barrie NetBios HTTP Backdoor 2020-05-13
BCC.l   NetBios HTTP Backdoor 2020-08-22
bhq.lan   NetBios HTTP Backdoor 2020-08-18
cds.capilanou. Capilano University NetBios HTTP Backdoor 2020-08-27
Centr   NetBios HTTP Backdoor 2020-06-24
chc.dom   NetBios HTTP Backdoor 2020-08-04
christieclinic. Christie Clinic Telehealth NetBios HTTP Backdoor 2020-04-22
CIMBM   NetBios HTTP Backdoor 2020-09-25
CIRCU   NetBios HTTP Backdoor 2020-05-30
CONSO   NetBios HTTP Backdoor 2020-06-17
corp.ptci.com Pioneer Telephone
Scholarship Recipients
NetBios HTTP Backdoor 2020-06-19
corp.stingraydi Stingray (Media and
entertainment)
NetBios HTTP Backdoor 2020-06-10
corp.stratusnet Stratus Networks NetBios HTTP Backdoor 2020-04-28
cosgroves.local Cosgroves (Building services
consulting)
NetBios HTTP Backdoor 2020-08-25
COTES Cotes (Humidity Management) NetBios HTTP Backdoor 2020-07-25
csnt.princegeor City of Prince George NetBios HTTP Backdoor 2020-09-18
cys.local CYS Group (Marketing analytics) NetBios HTTP Backdoor 2020-07-10
digitalsense.co Digital Sense (Cloud Services) NetBios HTTP Backdoor 2020-06-24
ehtuh-   NetBios HTTP Backdoor 2020-05-01
escap.org   NetBios HTTP Backdoor 2020-07-10
f.gnam   NetBios HTTP Backdoor 2020-04-04
fhc.local   NetBios HTTP Backdoor 2020-07-06
fidelitycomm.lo Fidelity Communications (ISP) NetBios HTTP Backdoor 2020-06-02
fisherbartoninc.com The Fisher Barton Group
(Blade Manufacturer)
NetBios HTTP Backdoor 2020-05-15
fmtn.ad City of Farmington NetBios HTTP Backdoor 2020-07-21
FWO.I   NetBios HTTP Backdoor 2020-08-05
ggsg-us.cisco Cisco GGSG NetBios HTTP Backdoor 2020-06-24
ghsmain1.ggh.g   NetBios HTTP Backdoor 2020-06-09
gxw   NetBios HTTP Backdoor 2020-07-07
htwanmgmt.local   NetBios HTTP Backdoor 2020-07-22
ieb.go.id   NetBios HTTP Backdoor 2020-06-12
int.ncahs.net   NetBios HTTP Backdoor 2020-09-23
internal.jtl.c   NetBios HTTP Backdoor 2020-05-19
ironform.com Ironform (metal fabrication) NetBios HTTP Backdoor 2020-06-19
isi   NetBios HTTP Backdoor 2020-07-06
itps.uk.net Infection Prevention Society (IPS) NetBios HTTP Backdoor 2020-08-11
jxxyx.   NetBios HTTP Backdoor 2020-06-26
kcpl.com Kansas City Power and
Light Company
NetBios HTTP Backdoor 2020-07-07
keyano.local Keyano College NetBios HTTP Backdoor 2020-06-03
khi0kl   NetBios HTTP Backdoor 2020-08-26
lhc_2f   NetBios HTTP Backdoor 2020-04-18
lufkintexas.net Lufkin (City in Texas) NetBios HTTP Backdoor 2020-07-07
magnoliaisd.loc Magnolia Independent
School District
NetBios HTTP Backdoor 2020-06-01
MOC.l   NetBios HTTP Backdoor 2020-04-30
moncton.loc City of Moncton NetBios HTTP Backdoor 2020-08-25
mountsinai.hosp Mount Sinai Hospital NetBios HTTP Backdoor 2020-07-02
netdecisions.lo Netdecisions (IT services) NetBios HTTP Backdoor 2020-10-04
newdirections.k   NetBios HTTP Backdoor 2020-04-21
nswhealth.net NSW Health NetBios HTTP Backdoor 2020-06-12
nzi_9p   NetBios HTTP Backdoor 2020-08-04
city.kingston.on.ca City of Kingston,
Ontario, Canada
NetBios HTTP Backdoor 2020-06-15
dufferincounty.on.ca Dufferin County,
Ontario, Canada
NetBios HTTP Backdoor 2020-07-17
osb.local   NetBios HTTP Backdoor 2020-04-28
oslerhc.org William Osler Health System NetBios HTTP Backdoor 2020-07-11
pageaz.gov City of Page NetBios HTTP Backdoor 2020-04-19
pcsco.com Professional Computer Systems NetBios HTTP Backdoor 2020-07-23
pkgix_   NetBios HTTP Backdoor 2020-07-15
pqcorp.com PQ Corporation NetBios HTTP Backdoor 2020-07-02
prod.hamilton. Hamilton Company NetBios HTTP Backdoor 2020-08-19
resprod.com Res Group (Renewable
energy company)
NetBios HTTP Backdoor 2020-05-06
RPM.l   NetBios HTTP Backdoor 2020-05-28
sdch.local South Davis
Community Hospital
NetBios HTTP Backdoor 2020-05-18
servitia.intern   NetBios HTTP Backdoor 2020-06-16
sfsi.stearnsban Stearns Bank NetBios HTTP Backdoor 2020-08-02
signaturebank.l Signature Bank NetBios HTTP Backdoor 2020-06-25
sm-group.local SM Group (Distribution) NetBios HTTP Backdoor 2020-07-07
te.nz TE Connectivity (Sensor
manufacturer)
NetBios HTTP Backdoor 2020-05-13
thx8xb   NetBios HTTP Backdoor 2020-06-16
tx.org   NetBios HTTP Backdoor 2020-07-15
usd373.org Newton Public Schools NetBios HTTP Backdoor 2020-08-01
uzq   NetBios HTTP Backdoor 2020-10-02
ville.terrebonn Ville de Terrebonne NetBios HTTP Backdoor 2020-08-02
wrbaustralia.ad W. R. Berkley Insurance Australia NetBios HTTP Backdoor 2020-07-11
ykz   NetBios HTTP Backdoor 2020-07-11
2iqzth   ImpLink Enum processes 2020-06-17
3if.2l 3IF (Industrial Internet) ImpLink Enum processes 2020-08-20
airquality.org Sacramento Metropolitan
Air Quality Management District
ImpLink Enum processes 2020-08-09
ansc.gob.pe GOB (Digital Platform of
the Peruvian State)
ImpLink Enum processes 2020-07-25
bcofsa.com.ar Banco de Formosa ImpLink Enum processes 2020-07-13
bi.corp   ImpLink Enum processes 2020-12-14
bop.com.pk The Bank of Punjab ImpLink Enum processes 2020-09-18
camcity.local   ImpLink Enum processes 2020-08-07
cow.local   ImpLink Enum processes 2020-06-13
deniz.denizbank DenizBank ImpLink Enum processes 2020-11-14
ies.com IES Communications
(Communications technology)
ImpLink Enum processes 2020-06-11
insead.org INSEAD Business School ImpLink Enum processes 2020-11-07
KS.LO   ImpLink Enum processes 2020-07-10
mixonhill.com Mixon Hill (intelligent
transportation systems)
ImpLink Enum processes 2020-04-29
ni.corp.natins   ImpLink Enum processes 2020-10-24
phabahamas.org Public Hospitals Authority,
Caribbean
ImpLink Enum processes 2020-11-05
rbe.sk.ca Regina Public Schools ImpLink Enum processes 2020-08-20
spsd.sk.ca Saskatoon Public Schools ImpLink Enum processes 2020-06-12
yorkton.cofy Community Options for
Families & Youth
ImpLink Enum processes 2020-05-08
.sutmf   Ipx Update config 2020-06-25
atg.local   No Match Unknown 2020-05-11
bisco.int Bisco International
(Adhesives and tapes)
No Match Unknown 2020-04-30
ccscurriculum.c   No Match Unknown 2020-04-18
e-idsolutions. IDSolutions (video conferencing) No Match Unknown 2020-07-16
ETC1.   No Match Unknown 2020-08-01
gk5   No Match Unknown 2020-07-09
grupobazar.loca   No Match Unknown 2020-06-07
internal.hws.o   No Match Unknown 2020-05-23
n2k   No Match Unknown 2020-07-12
publiser.it   No Match Unknown 2020-07-05
us.deloitte.co Deloitte No Match Unknown 2020-07-08
ush.com   No Match Unknown 2020-06-15
xijtt-   No Match Unknown 2020-07-21
xnet.kz X NET (IT provider in Kazakhstan) No Match Unknown 2020-06-09
zu0   No Match Unknown 2020-08-13
staff.technion.ac.il   N/A N/A N/A
digitalreachinc.com   N/A N/A N/A
orient-express.com   N/A N/A N/A
tr.technion.ac.il   N/A N/A N/A
lasers.state.la.us   N/A N/A N/A
ABLE.   N/A N/A N/A
abmuh_   N/A N/A N/A
acmedctr.ad   N/A N/A N/A
ad.azarthritis.com   N/A N/A N/A
ad.library.ucla.edu   N/A N/A N/A
ad.optimizely.   N/A N/A N/A
admin.callidusc   N/A N/A N/A
aerioncorp.com   N/A N/A N/A
agloan.ads   N/A N/A N/A
ah.org   N/A N/A N/A
AHCCC   N/A N/A N/A
allegronet.co.   N/A N/A N/A
alm.brand.dk   N/A N/A N/A
amalfi.local   N/A N/A N/A
americas.phoeni   N/A N/A N/A
amr.corp.intel   N/A N/A N/A
apu.mn   N/A N/A N/A
ARYZT   N/A N/A N/A
b9f9hq   N/A N/A N/A
BE.AJ   N/A N/A N/A
belkin.com   N/A N/A N/A
bk.local   N/A N/A N/A
bmrn.com   N/A N/A N/A
bok.com   N/A N/A N/A
btb.az   N/A N/A N/A
c4e-internal.c   N/A N/A N/A
calsb.org   N/A N/A N/A
casino.prv   N/A N/A N/A
cda.corp   N/A N/A N/A
central.pima.g   N/A N/A N/A
cfsi.local   N/A N/A N/A
ch.local   N/A N/A N/A
ci.dublin.ca.   N/A N/A N/A
cisco.com   N/A N/A N/A
corp.dvd.com   N/A N/A N/A
corp.sana.com   N/A N/A N/A
Count   N/A N/A N/A
COWI.   N/A N/A N/A
coxnet.cox.com   N/A N/A N/A
CRIHB   N/A N/A N/A
cs.haystax.loc   N/A N/A N/A
csa.local   N/A N/A N/A
csci-va.com   N/A N/A N/A
csqsxh   N/A N/A N/A
DCCAT   N/A N/A N/A
deltads.ent   N/A N/A N/A
detmir-group.r   N/A N/A N/A
dhhs-   N/A N/A N/A
dmv.state.nv.   N/A N/A N/A
dotcomm.org   N/A N/A N/A
DPCIT   N/A N/A N/A
dskb2x   N/A N/A N/A
e9.2pz   N/A N/A N/A
ebe.co.roanoke.va.us   N/A N/A N/A
ecobank.group   N/A N/A N/A
ecocorp.local   N/A N/A N/A
epl.com   N/A N/A N/A
fremont.lamrc.   N/A N/A N/A
FSAR.   N/A N/A N/A
ftfcu.corp   N/A N/A N/A
gksm.local   N/A N/A N/A
gloucesterva.ne   N/A N/A N/A
glu.com   N/A N/A N/A
gnb.local   N/A N/A N/A
gncu.local   N/A N/A N/A
gsf.cc   N/A N/A N/A
gyldendal.local   N/A N/A N/A
helixwater.org   N/A N/A N/A
hgvc.com   N/A N/A N/A
ia.com   N/A N/A N/A
inf.dc.net   N/A N/A N/A
ingo.kg   N/A N/A N/A
innout.corp   N/A N/A N/A
int.lukoil-international.uz   N/A N/A N/A
intensive.int   N/A N/A N/A
ions.com   N/A N/A N/A
its.iastate.ed   N/A N/A N/A
jarvis.lab   N/A N/A N/A
-jlowd   N/A N/A N/A
jn05n8   N/A N/A N/A
jxb3eh   N/A N/A N/A
k.com   N/A N/A N/A
LABEL   N/A N/A N/A
milledgeville.l   N/A N/A N/A
nacr.com   N/A N/A N/A
ncpa.loc   N/A N/A N/A
neophotonics.co   N/A N/A N/A
net.vestfor.dk   N/A N/A N/A
nih.if   N/A N/A N/A
nvidia.com   N/A N/A N/A
on-pot   N/A N/A N/A
ou0yoy   N/A N/A N/A
paloverde.local   N/A N/A N/A
pl8uw0   N/A N/A N/A
q9owtt   N/A N/A N/A
rai.com   N/A N/A N/A
rccf.ru   N/A N/A N/A
repsrv.com   N/A N/A N/A
ripta.com   N/A N/A N/A
roymerlin.com   N/A N/A N/A
rs.local   N/A N/A N/A
rst.atlantis-pak.ru   N/A N/A N/A
sbywx3   N/A N/A N/A
sc.pima.gov   N/A N/A N/A
scif.com   N/A N/A N/A
SCMRI   N/A N/A N/A
scroot.com   N/A N/A N/A
seattle.interna   N/A N/A N/A
securview.local   N/A N/A N/A
SFBAL   N/A N/A N/A
SF-Li   N/A N/A N/A
siskiyous.edu   N/A N/A N/A
sjhsagov.org   N/A N/A N/A
Smart   N/A N/A N/A
smes.org   N/A N/A N/A
sos-ad.state.nv.us   N/A N/A N/A
sro.vestfor.dk   N/A N/A N/A
superior.local   N/A N/A N/A
swd.local   N/A N/A N/A
ta.org   N/A N/A N/A
taylorfarms.com   N/A N/A N/A
thajxq   N/A N/A N/A
thoughtspot.int   N/A N/A N/A
tsyahr   N/A N/A N/A
tv2.local   N/A N/A N/A
uis.kent.edu   N/A N/A N/A
uncity.dk   N/A N/A N/A
uont.com   N/A N/A N/A
viam-invenient   N/A N/A N/A
vms.ad.varian.com   N/A N/A N/A
vsp.com   N/A N/A N/A
WASHO   N/A N/A N/A
weioffice.com   N/A N/A N/A
wfhf1.hewlett.   N/A N/A N/A
woodruff-sawyer   N/A N/A N/A
HQ.RE-wwgi2xnl   N/A N/A N/A
xdxinc.net   N/A N/A N/A
y9k.in   N/A N/A N/A
zeb.i8   N/A N/A N/A
zippertubing.co   N/A N/A N/A

 

To read the original article:

https://securityaffairs.co/wordpress/112555/hacking/solarwinds-victims-lists.html

Top

Interdit de copier  ce contenu