Dive Brief:
- Microsoft will begin blocking the malicious binaries related to SolarWinds Orion vulnerability with Microsoft Defender Antivirus on Wednesday, the company announced.
- The antivirus solution will quarantine the trojan before it can begin processing. However because SolarWinds Orion is a Network Management System (NMS) closely tied to servers, "it may not be simple to remove the product from service," according to Microsoft.
- Microsoft warned customers they should "consider any drive with the binary as compromised," including the accounts with access to the devices. Companies should have already begun investigations into the device timeline, looking for "indications of lateral movement activities," according to the announcement.
Dive Insight:
As fallout continues from the SolarWinds Orion vulnerability, known as Solorigate or SUNBURST, affected companies and federal agencies are relying on private sector involvement. "Post-infrastructure product decisions made by tech companies create strategic facts that often outweigh national policy ability to control for vulnerabilities and risk," said Philip Reiner, CEO of the Institute for Security and Technology.
The federal government relies on technology supplied by private third parties, "because it has no choice," said Reiner. As adoption continues, supply chain threats will grow. Federal agencies can no longer rely on code they wrote and tested on their networks.
The SolarWinds supply chain attack is far-reaching. The company alerted 33,000 customers using Orion during the time the product updates were compromised, though the company said about 18,000 customers were impacted. Affected federal agencies reportedly include The Departments of Homeland Security, State, Treasury and Commerce.
With a loyal customer base around the world, SolarWinds software is used beyond the public sector. In fact SolarWinds is "so prevalent," its Orion platform "is to NMS what Kleenex is to Tissues," said Jake Williams, SANS analyst and senior SANS instructor, in a SANS Institute webinar Monday.
NMS needs to communicate with managed and monitored devices, making it a primary target for malicious activity. "Many NMS are configured to both monitor for events and respond to them," said Williams. "This means that the [NMS] can make changes on behalf of its configuration," so attackers can make the same changes as the NMS after compromising the tool.
Companies are not safeguarded from infection even if they have networking devices configured to SolarWinds without credentials. Even if the software has no way of jumping to a company's Windows systems, if an attacker has access to changing configurations, it would be very easy for them to "basically reshape traffic on the local network and position themselves for those man-in-the-middle opportunities," said Williams. At that point, it's just a matter of time before an attacker gains access to a machine.
Microsoft is joined by other tech companies to "seize and sinkhole" the "avsvmcloud[.]com" domain, reported ZDNet. The domain is the command and control server of the operation delivering the malware. Microsoft obtained the domain, which was "designed to mimic normal SolarWinds API communications," according to FireEye.
FireEye released other domains related to SUNBURST and BEACON companies can use for indicators of compromise (IOC) in domain name system logging. The domains have Russian attribution, labeled as UNC2452, though it's insufficient to rule out an attack if nothing was detected, according to Williams. "Nothing means you just don't see it," and the domains found by FireEye are likely an incomplete list.
No company or security firm aiding in response has outright said the threat group behind the attack is APT 29, also known as Cozy Bear or Dukes. Given the impact of the attack, it has the markings of the threat actors. "The pre-positioning potential is massive," said Reiner. "You could envision APT 29 transferring some of the accesses to a more attack-minded entity," such as APT 28, or Fancy Bear.
