Image: SoalrWinds
Microsoft today announced plans to forcibly begin blocking and isolating versions of the SolarWinds Orion app known to contain Solorigate (SUNBURST) malware.
Microsoft’s decision is linked to the massive attack on the supply chain that came to light last weekend that hit IT software vendor SolarWinds.
On Sunday, several news outlets reported that hackers linked to the Russian government violated SolarWinds and introduced malware into updates to Orion, a network monitoring and inventory platform.
Shortly after news reports went live, SolarWinds confirmed that Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were infected with malware.
According to the company’s official statement, Microsoft was one of the first cybersecurity vendors to confirm the SolarWinds incident. On the same day, the company added detection rules for the Solorigate malware in the SolarWinds Orion app.
However, these detection rules only triggered warnings and Microsoft Defender users were allowed to decide for themselves what to do with the Orion app.
Trojanized SolarWinds apps will be isolated from tomorrow
However, in a short blog post today, Microsoft says it has now decided to forcibly quarantine all binaries from the Orion app starting tomorrow.
“Starting Wednesday, December 16 at 8:00 am PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running,” said Microsoft.
The OS maker said it made this decision in favor of its customers, even if it expects the decision to cause crashes for network monitoring tools in sysadmin rooms.
“It is important to understand that these binaries pose a significant threat to customer environments,” the company said.
“Customers should consider any device with the binary file as compromised and should already investigate devices with this warning, ”he added.
Microsoft recommended that companies remove and investigate devices that had the trojanized Orion apps installed. The advice is in line with a DHS emergency guideline published Sunday, where the Cybersecurity and Infrastructure Security Agency advised the same.
In SEC documents filed Monday, SolarWinds estimated that at least 18,000 customers have installed the trojanized Orion app updates and most likely have the Solorigate (SUNBURST) malware on their internal networks.
On the vast majority of these networks, the malware is present but dormant. The SolarWinds hackers choose to deploy only additional malware on the networks of a few high-value targets. Currently known victims of this group’s attacks include:
- American cybersecurity company FireEye
- The United States Treasury Department
- The National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce
- The National Institutes of Health (NIH) of the Department of Health
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The United States Department of State