Security experts shared lists of organizations that were infected with the SolarWinds Sunburst backdoor after decoding the DGA mechanism.

Security experts started analyzing the DGA mechanism used by threat actors behind the SolarWinds hack to control the Sunburst/Solarigate backdoor and published the list of targeted organizations.

Researchers from multiple cybersecurity firms published a list that contains major companies, including Cisco, Deloitte, Intel, Mediatek, and Nvidia.

The researchers decoded the DGA algorithm used by the backdoor to assign a subdomain of the C2 (avsvmcloud[.]com) for each of the compromised organizations.

“Prevasio would like to thank Zetalytics for providing us with an updated (larger) list of passive (historic) DNS queries for the domains generated by the malware.” reported the analysis published by Prevasio.

Researchers from several security firms, including TrueSec, Prevasio, QiAnXin RedDrip, and Kaspersky shared the results of their analysis.

By decoding the #DGA domain names, we discovered nearly a hundred domains suspected to be attacked by #UNC2452 #SolarWinds, including universities, governments and high tech companies such as @Intel and @Cisco. Visit our github project to get the script.https://t.co/jsnOldynCV pic.twitter.com/40VfXuR6JI— RedDrip Team (@RedDrip7) December 16, 2020Prevasio researchers detailed the decoding process, for example considering the following address:

fivu4vjamve5vfrtn2huov[.]appsync-api.us-west-2[.]avsvmcloud[.]com

“The first part of the domain name (before the first dot) consists of a 16-character random string, appended with an encoded computer’s domain name. This is the domain in which the local computer is registered.” state the researchers.

Other major companies, including FireEye, Microsoft, and VMware also revealed to have been impacted by the SolarWinds supply chain attack.

Truesec researchers speculate that threat actors might have exfiltrated a massive amount of highly confidential information from multiple organizations. It is also highly likely that attackers compromised the software and systems of their victims.

“This list contains the decoded values of internal domain names. We can therefore only assume that they belong to an organization based on the name of the domains and publicly available information,” reads the post published by TrueSec.

“More information will be disclosed during the upcoming months but the full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”

Decoded Internal NameOrganization(possibly inaccurate)Response Address FamilyCommandFirst Seenmnh.rg-law.ac.ilCollege of Law and Business,IsraelNetBiosHTTP Backdoor2020-05-26ad001.mtk.loMediatekNetBiosHTTP Backdoor2020-08-26Aeria NetBiosHTTP Backdoor2020-06-26Ameri NetBiosHTTP Backdoor2020-08-02ank.comAnkcom CommunicationsNetBiosHTTP Backdoor2020-06-06azlcyy NetBiosHTTP Backdoor2020-08-07banccentral.comBancCentral FinancialServices Corp.NetBiosHTTP Backdoor2020-07-03barrie.caCity of BarrieNetBiosHTTP Backdoor2020-05-13BCC.l NetBiosHTTP Backdoor2020-08-22bhq.lan NetBiosHTTP Backdoor2020-08-18cds.capilanou.Capilano UniversityNetBiosHTTP Backdoor2020-08-27Centr NetBiosHTTP Backdoor2020-06-24chc.dom NetBiosHTTP Backdoor2020-08-04christieclinic.Christie Clinic TelehealthNetBiosHTTP Backdoor2020-04-22CIMBM NetBiosHTTP Backdoor2020-09-25CIRCU NetBiosHTTP Backdoor2020-05-30CONSO NetBiosHTTP Backdoor2020-06-17corp.ptci.comPioneer TelephoneScholarship RecipientsNetBiosHTTP Backdoor2020-06-19corp.stingraydiStingray (Media andentertainment)NetBiosHTTP Backdoor2020-06-10corp.stratusnetStratus NetworksNetBiosHTTP Backdoor2020-04-28cosgroves.localCosgroves (Building servicesconsulting)NetBiosHTTP Backdoor2020-08-25COTESCotes (Humidity Management)NetBiosHTTP Backdoor2020-07-25csnt.princegeorCity of Prince GeorgeNetBiosHTTP Backdoor2020-09-18cys.localCYS Group (Marketing analytics)NetBiosHTTP Backdoor2020-07-10digitalsense.coDigital Sense (Cloud Services)NetBiosHTTP Backdoor2020-06-24ehtuh- NetBiosHTTP Backdoor2020-05-01escap.org NetBiosHTTP Backdoor2020-07-10f.gnam NetBiosHTTP Backdoor2020-04-04fhc.local NetBiosHTTP Backdoor2020-07-06fidelitycomm.loFidelity Communications (ISP)NetBiosHTTP Backdoor2020-06-02fisherbartoninc.comThe Fisher Barton Group(Blade Manufacturer)NetBiosHTTP Backdoor2020-05-15fmtn.adCity of FarmingtonNetBiosHTTP Backdoor2020-07-21FWO.I NetBiosHTTP Backdoor2020-08-05ggsg-us.ciscoCisco GGSGNetBiosHTTP Backdoor2020-06-24ghsmain1.ggh.g NetBiosHTTP Backdoor2020-06-09gxw NetBiosHTTP Backdoor2020-07-07htwanmgmt.local NetBiosHTTP Backdoor2020-07-22ieb.go.id NetBiosHTTP Backdoor2020-06-12int.ncahs.net NetBiosHTTP Backdoor2020-09-23internal.jtl.c NetBiosHTTP Backdoor2020-05-19ironform.comIronform (metal fabrication)NetBiosHTTP Backdoor2020-06-19isi NetBiosHTTP Backdoor2020-07-06itps.uk.netInfection Prevention Society (IPS)NetBiosHTTP Backdoor2020-08-11jxxyx. NetBiosHTTP Backdoor2020-06-26kcpl.comKansas City Power andLight CompanyNetBiosHTTP Backdoor2020-07-07keyano.localKeyano CollegeNetBiosHTTP Backdoor2020-06-03khi0kl NetBiosHTTP Backdoor2020-08-26lhc_2f NetBiosHTTP Backdoor2020-04-18lufkintexas.netLufkin (City in Texas)NetBiosHTTP Backdoor2020-07-07magnoliaisd.locMagnolia IndependentSchool DistrictNetBiosHTTP Backdoor2020-06-01MOC.l NetBiosHTTP Backdoor2020-04-30moncton.locCity of MonctonNetBiosHTTP Backdoor2020-08-25mountsinai.hospMount Sinai HospitalNetBiosHTTP Backdoor2020-07-02netdecisions.loNetdecisions (IT services)NetBiosHTTP Backdoor2020-10-04newdirections.k NetBiosHTTP Backdoor2020-04-21nswhealth.netNSW HealthNetBiosHTTP Backdoor2020-06-12nzi_9p NetBiosHTTP Backdoor2020-08-04city.kingston.on.caCity of Kingston,Ontario, CanadaNetBiosHTTP Backdoor2020-06-15dufferincounty.on.caDufferin County,Ontario, CanadaNetBiosHTTP Backdoor2020-07-17osb.local NetBiosHTTP Backdoor2020-04-28oslerhc.orgWilliam Osler Health SystemNetBiosHTTP Backdoor2020-07-11pageaz.govCity of PageNetBiosHTTP Backdoor2020-04-19pcsco.comProfessional Computer SystemsNetBiosHTTP Backdoor2020-07-23pkgix_ NetBiosHTTP Backdoor2020-07-15pqcorp.comPQ CorporationNetBiosHTTP Backdoor2020-07-02prod.hamilton.Hamilton CompanyNetBiosHTTP Backdoor2020-08-19resprod.comRes Group (Renewableenergy company)NetBiosHTTP Backdoor2020-05-06RPM.l NetBiosHTTP Backdoor2020-05-28sdch.localSouth DavisCommunity HospitalNetBiosHTTP Backdoor2020-05-18servitia.intern NetBiosHTTP Backdoor2020-06-16sfsi.stearnsbanStearns BankNetBiosHTTP Backdoor2020-08-02signaturebank.lSignature BankNetBiosHTTP Backdoor2020-06-25sm-group.localSM Group (Distribution)NetBiosHTTP Backdoor2020-07-07te.nzTE Connectivity (Sensormanufacturer)NetBiosHTTP Backdoor2020-05-13thx8xb NetBiosHTTP Backdoor2020-06-16tx.org NetBiosHTTP Backdoor2020-07-15usd373.orgNewton Public SchoolsNetBiosHTTP Backdoor2020-08-01uzq NetBiosHTTP Backdoor2020-10-02ville.terrebonnVille de TerrebonneNetBiosHTTP Backdoor2020-08-02wrbaustralia.adW. R. Berkley Insurance AustraliaNetBiosHTTP Backdoor2020-07-11ykz NetBiosHTTP Backdoor2020-07-112iqzth ImpLinkEnum processes2020-06-173if.2l3IF (Industrial Internet)ImpLinkEnum processes2020-08-20airquality.orgSacramento MetropolitanAir Quality Management DistrictImpLinkEnum processes2020-08-09ansc.gob.peGOB (Digital Platform ofthe Peruvian State)ImpLinkEnum processes2020-07-25bcofsa.com.arBanco de FormosaImpLinkEnum processes2020-07-13bi.corp ImpLinkEnum processes2020-12-14bop.com.pkThe Bank of PunjabImpLinkEnum processes2020-09-18camcity.local ImpLinkEnum processes2020-08-07cow.local ImpLinkEnum processes2020-06-13deniz.denizbankDenizBankImpLinkEnum processes2020-11-14ies.comIES Communications(Communications technology)ImpLinkEnum processes2020-06-11insead.orgINSEAD Business SchoolImpLinkEnum processes2020-11-07KS.LO ImpLinkEnum processes2020-07-10mixonhill.comMixon Hill (intelligenttransportation systems)ImpLinkEnum processes2020-04-29ni.corp.natins ImpLinkEnum processes2020-10-24phabahamas.orgPublic Hospitals Authority,CaribbeanImpLinkEnum processes2020-11-05rbe.sk.caRegina Public SchoolsImpLinkEnum processes2020-08-20spsd.sk.caSaskatoon Public SchoolsImpLinkEnum processes2020-06-12yorkton.cofyCommunity Options forFamilies & YouthImpLinkEnum processes2020-05-08.sutmf IpxUpdate config2020-06-25atg.local No MatchUnknown2020-05-11bisco.intBisco International(Adhesives and tapes)No MatchUnknown2020-04-30ccscurriculum.c No MatchUnknown2020-04-18e-idsolutions.IDSolutions (video conferencing)No MatchUnknown2020-07-16ETC1. No MatchUnknown2020-08-01gk5 No MatchUnknown2020-07-09grupobazar.loca No MatchUnknown2020-06-07internal.hws.o No MatchUnknown2020-05-23n2k No MatchUnknown2020-07-12publiser.it No MatchUnknown2020-07-05us.deloitte.coDeloitteNo MatchUnknown2020-07-08ush.com No MatchUnknown2020-06-15xijtt- No MatchUnknown2020-07-21xnet.kzX NET (IT provider in Kazakhstan)No MatchUnknown2020-06-09zu0 No MatchUnknown2020-08-13staff.technion.ac.il N/AN/AN/Adigitalreachinc.com N/AN/AN/Aorient-express.com N/AN/AN/Atr.technion.ac.il N/AN/AN/Alasers.state.la.us N/AN/AN/AABLE. N/AN/AN/Aabmuh_ N/AN/AN/Aacmedctr.ad N/AN/AN/Aad.azarthritis.com N/AN/AN/Aad.library.ucla.edu N/AN/AN/Aad.optimizely. N/AN/AN/Aadmin.callidusc N/AN/AN/Aaerioncorp.com N/AN/AN/Aagloan.ads N/AN/AN/Aah.org N/AN/AN/AAHCCC N/AN/AN/Aallegronet.co. N/AN/AN/Aalm.brand.dk N/AN/AN/Aamalfi.local N/AN/AN/Aamericas.phoeni N/AN/AN/Aamr.corp.intel N/AN/AN/Aapu.mn N/AN/AN/AARYZT N/AN/AN/Ab9f9hq N/AN/AN/ABE.AJ N/AN/AN/Abelkin.com N/AN/AN/Abk.local N/AN/AN/Abmrn.com N/AN/AN/Abok.com N/AN/AN/Abtb.az N/AN/AN/Ac4e-internal.c N/AN/AN/Acalsb.org N/AN/AN/Acasino.prv N/AN/AN/Acda.corp N/AN/AN/Acentral.pima.g N/AN/AN/Acfsi.local N/AN/AN/Ach.local N/AN/AN/Aci.dublin.ca. N/AN/AN/Acisco.com N/AN/AN/Acorp.dvd.com N/AN/AN/Acorp.sana.com N/AN/AN/ACount N/AN/AN/ACOWI. N/AN/AN/Acoxnet.cox.com N/AN/AN/ACRIHB N/AN/AN/Acs.haystax.loc N/AN/AN/Acsa.local N/AN/AN/Acsci-va.com N/AN/AN/Acsqsxh N/AN/AN/ADCCAT N/AN/AN/Adeltads.ent N/AN/AN/Adetmir-group.r N/AN/AN/Adhhs- N/AN/AN/Admv.state.nv. N/AN/AN/Adotcomm.org N/AN/AN/ADPCIT N/AN/AN/Adskb2x N/AN/AN/Ae9.2pz N/AN/AN/Aebe.co.roanoke.va.us N/AN/AN/Aecobank.group N/AN/AN/Aecocorp.local N/AN/AN/Aepl.com N/AN/AN/Afremont.lamrc. N/AN/AN/AFSAR. N/AN/AN/Aftfcu.corp N/AN/AN/Agksm.local N/AN/AN/Agloucesterva.ne N/AN/AN/Aglu.com N/AN/AN/Agnb.local N/AN/AN/Agncu.local N/AN/AN/Agsf.cc N/AN/AN/Agyldendal.local N/AN/AN/Ahelixwater.org N/AN/AN/Ahgvc.com N/AN/AN/Aia.com N/AN/AN/Ainf.dc.net N/AN/AN/Aingo.kg N/AN/AN/Ainnout.corp N/AN/AN/Aint.lukoil-international.uz N/AN/AN/Aintensive.int N/AN/AN/Aions.com N/AN/AN/Aits.iastate.ed N/AN/AN/Ajarvis.lab N/AN/AN/A-jlowd N/AN/AN/Ajn05n8 N/AN/AN/Ajxb3eh N/AN/AN/Ak.com N/AN/AN/ALABEL N/AN/AN/Amilledgeville.l N/AN/AN/Anacr.com N/AN/AN/Ancpa.loc N/AN/AN/Aneophotonics.co N/AN/AN/Anet.vestfor.dk N/AN/AN/Anih.if N/AN/AN/Anvidia.com N/AN/AN/Aon-pot N/AN/AN/Aou0yoy N/AN/AN/Apaloverde.local N/AN/AN/Apl8uw0 N/AN/AN/Aq9owtt N/AN/AN/Arai.com N/AN/AN/Arccf.ru N/AN/AN/Arepsrv.com N/AN/AN/Aripta.com N/AN/AN/Aroymerlin.com N/AN/AN/Ars.local N/AN/AN/Arst.atlantis-pak.ru N/AN/AN/Asbywx3 N/AN/AN/Asc.pima.gov N/AN/AN/Ascif.com N/AN/AN/ASCMRI N/AN/AN/Ascroot.com N/AN/AN/Aseattle.interna N/AN/AN/Asecurview.local N/AN/AN/ASFBAL N/AN/AN/ASF-Li N/AN/AN/Asiskiyous.edu N/AN/AN/Asjhsagov.org N/AN/AN/ASmart N/AN/AN/Asmes.org N/AN/AN/Asos-ad.state.nv.us N/AN/AN/Asro.vestfor.dk N/AN/AN/Asuperior.local N/AN/AN/Aswd.local N/AN/AN/Ata.org N/AN/AN/Ataylorfarms.com N/AN/AN/Athajxq N/AN/AN/Athoughtspot.int N/AN/AN/Atsyahr N/AN/AN/Atv2.local N/AN/AN/Auis.kent.edu N/AN/AN/Auncity.dk N/AN/AN/Auont.com N/AN/AN/Aviam-invenient N/AN/AN/Avms.ad.varian.com N/AN/AN/Avsp.com N/AN/AN/AWASHO N/AN/AN/Aweioffice.com N/AN/AN/Awfhf1.hewlett. N/AN/AN/Awoodruff-sawyer N/AN/AN/AHQ.RE-wwgi2xnl N/AN/AN/Axdxinc.net N/AN/AN/Ay9k.in N/AN/AN/Azeb.i8 N/AN/AN/Azippertubing.co N/AN/AN/A

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Solarwinds)

The post Researchers shared the lists of victims of SolarWinds hack appeared first on Security Affairs.