Hot topics close

Microsoft spots more than 40 organizations hit by SolarWinds hack

Company president calls on world to denounce government-backed supply chain attacks

Microsoft has found more than 40 of its customers — including itself — whose systems have been compromised by leveraging the SolarWinds Orion platform update vulnerability known as Solorigate/Sunburst.

In a Dec. 17 blog post, company president Brad Smith said that by using indicators of compromise in Windows Defender anti-virus, it has been able to identify and notify these organizations.

About 80 per cent of them are in the United States, but there are also victims in Canada, the United Kingdom, Mexico, Belgium, Spain, Israel and the United Arab Emirates.

“It’s certain that the number and location of victims will keep growing,” Smith added.

Late Thursday, Microsoft revealed that it, too, was on the list. “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” Reuters quoted a Microsoft spokesperson as saying. The unnamed source also said the company had found “no indications that our systems were used to attack others.”

Government agencies were not the only targets of the attackers, believed to be a nation-state. Of the firms identified by Microsoft, 44 per cent were in the IT sector, 18 per cent were government departments, 18 per cent were non-government organizations or think tanks and nine per cent were government contractors.

Solorigate/Sunburst is a backdoor created by compromising updates to SolarWinds’ Orion network management platform earlier this year with a digitally-signed certificate. It was discovered by FireEye during an investigation into how its red team tools had been compromised. SolarWinds estimates that 17,000 Orion users may have installed the update. However, it believes the attacker exploited a smaller number of those and got into their networks.

Kaspersky said it’s software identified 100 of its customers that had recieved the Orion update. However none of them had recieved the second stage of the attack.

SolarWinds has issued a hotfix.

“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,” Smith wrote in his blog. “The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.”

Smith was also highly critical of cybersecurity companies that make and sell sophisticated network intrusion and surveillance tools to governments, and nation-states targeting COVID-19 research by universities and the pharmaceutical industry.

“Put together, these three trends point to a cybersecurity landscape that is even more daunting than when the year began. The most determined nation-state attackers are becoming more sophisticated. Risks are both growing and spreading to other governments through new private sector companies that aid and abet nation-state attackers. And nothing, not even a pandemic, is off-limits to these attackers,” Smith wrote.

He called on the public and private sectors to work closer, including better sharing of threat intelligence. Internationally, “the U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law,” he added.

While the infected Orion updates were released between March and June, researchers at Reversing Labs found evidence that tampering with the platform’s software code and code signing infrastructure dates back to October 2019. That version of the update didn’t include the malicious backdoor code now known as Solorigate/Sunburst, they said in a blog, but it did contain the .NET class that would eventually host it.

“This first code modification was clearly just a proof of concept,” said the researchers. “Their three-step action plan: Compromise the build system, inject their own code, and verify that their signed packages are going to appear on the client-side as expected. Once these objectives were met, and the attackers proved to themselves that the supply chain could be compromised, they started planning the real attack payload.

“The name of the class, OrionImprovementBusinessLayer, had been chosen deliberately. Not only to blend in with the rest of the code, but also to fool the software developers or anyone auditing the binaries. That class, and many of the methods it uses, can be found in other Orion software libraries, even thematically fitting with the code found within those libraries. This implies not only the intent to remain stealthy, but also that the attackers were highly familiar with the code base.”

For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process, Reversing Labs said.

Meanwhile, in a blog a senior security researcher at Domain Tools noted that an initial infection doesn’t guarantee compromise. An attacker has to take some measure of control over infected devices and be able to move laterally within the network to other sources of value for collection or other objectives, he argued. “All of this activity, even if initial intrusion leapfrogs a large number of controls and monitoring points, leaves traces for detection and response.”

Would you recommend this article?
Thanks for taking the time to let us know what you think of this article!We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

#liker-thanks{display:none; padding:12px; background:#D2DDFF; border:1px solid #0010AA;} Related DownloadCybersecurity Conversations with your Board Sponsor: CanadianCIO Cybersecurity Conversations with your Board – A Survival Guide A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA Download Now
Similar news
  • Network Optimization Services Market -The Next Booming Segment in the World |Solarwinds, Cisco Systems, Huawei ...
  • Russian hackers hit 250 govt agencies, firms in US: Report
  • Microsoft Starts The New Year With A Somewhat Worrying News About Getting Hacked
  • A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware
  • Russia's SolarWinds Hack Is a Historic Mess
  • Cisco Hacked Through SolarWinds As Tech Casualties Mount
  • 'Deeply damaging and dangerous:' List of victims of the Russian-linked SolarWinds hack keeps widening
  • Cisco Latest Victim of Russian Cyber-Attack Using SolarWinds
  • The SolarWinds Hack Is Unlike Anything We Have Ever Seen Before
  • Microsoft (MSFT) Removed Malware From SolarWinds (SWI) Hack
  • JOYY Class Action Reminder
  • Suspected Russian hacking spree extends beyond original target, US officials admit
  • Russia suspected of hacking U.S. Homeland Security, thousands of businesses
  • Canada assessing SolarWinds hack as U.S. agencies lock down
  • Canada assessing SolarWinds hack as U.S. agencies lock down
  • US Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
  • DHS, DOJ And DOD Are All Customers Of SolarWinds Orion, The Source Of The Huge US Government Hack
  • Malicious update to SolarWinds’ Orion platform blamed for global hacks, including FireEye
  • SolarWinds' Orion monitoring platform may have been tampered with by attackers