Microsoft today announced its intention to begin forcibly blocking and isolating versions of the SolarWinds Orion application that are known to contain Solorigate (SUNBURST) malware.
Microsoft’s move is linked to the massive supply chain attack that came to light over the weekend that hit computer software publisher SolarWinds.
On Sunday, several media reported that hackers linked to the Russian government had violated SolarWinds and inserted malware into updates to Orion, a network monitoring and inventory platform.
Shortly after the information was posted online, SolarWinds confirmed that Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were contaminated with malware.
Following the official statement from the company, Microsoft was one of the first cybersecurity vendors to confirm the SolarWinds incident. On the same day, the company added detection rules for Solorigate malware contained in the SolarWinds Orion application.
However, these detection rules only triggered alerts, and Microsoft Defender users were allowed to decide for themselves what they wanted to do with the Orion app.
SolarWinds Trojan applications must be isolated tomorrow
However, in a short blog post posted today, Microsoft said that it has now decided to force all Orion application binaries to quarantine starting tomorrow.
“Starting Wednesday, December 16 at 8:00 am PST, Microsoft Defender Antivirus will begin blocking known malicious SolarWinds binaries. This will quarantine the binary even though the process is in progress, ”Microsoft said.
The OS maker said it made the move for the benefit of its customers, although it expects the move to cause crashes for network monitoring tools in system administration rooms.
“It is important to understand that these binaries pose a significant threat to customer environments,” the company said.
“Customers must consider any device with binary as a compromise and should already investigate devices with this alert, ”he added.
Microsoft has recommended that companies remove and investigate devices that have Orion trojanized apps installed. The advice is in line with a DHS emergency directive released on Sunday, in which the Agency for Cyber Security and Infrastructure Security recommended the same.
In SEC documents filed on Monday, SolarWinds estimates that at least 18,000 customers have installed updates to the trojanized Orion application and most likely have Solorigate (SUNBURST) malware on their internal networks.
On the vast majority of these networks, the malware is present but dormant. SolarWinds hackers choose to deploy additional malware only on the networks of a few high-value targets. Currently known victims of attacks by this group include:
- American cybersecurity firm FireEye
- The US Treasury Department
- The National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce
- The National Institutes of Health (NIH) of the Department of Health
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The US State Department