Microsoft AV now blocks applications with malicious SolarWinds binaries

As more CISOs using SolarWinds’ Orion network management suite investigate the possibility of infected updates, Microsoft this morning began blocking applications with malicious SolarWinds binaries, a move that may cause headaches with other software, servers and PCs.

Microsoft Defender Antivirus is now putting those malicious binaries into quarantine, even if the process is running. “We also realize this is a server product running in customer environments,” Microsoft said in a recent blog post. The company added, “it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices.”

Specific recommendations include:

  • Immediately isolating the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
  • Identifying the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
  • Investigating how the affected endpoint might have been compromised.
  • Investigating the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.

If service interruption is not possible, Microsoft said, its customers must act to exclude SolarWinds binaries. This should be a temporary change that you should revert as soon Orion has been updated with fixes from SolarWinds or complete an investigation.

However, Ed Dubrovsky, managing partner of Toronto-based incident response firm Cytelligence, urged organizations with Orion not to shut down their network monitoring capabilities. “At a time when cyberattacks are at a pandemic level, you do not want to go blind. However, implement some controls around what Orion is allowed to do and communicate.” That includes:

  • Ensuring you understand what domains the backdoor is calling out to, and block these. There are plenty of other articles speaking about the technical aspect of the vulnerability.
  • Patching the software and monitor for additional patches that will likely be released shortly.
  • Begining an investigation going back to early this year, to assess whether your organization was actually compromised and whether any other persistence mechanisms were installed or whether the lateral movement can be identified. If any signs of intrusion are identified, get a DFIR firm involved to assess the damage and preserve artifacts.

On Tuesday, SolarWinds released the second hotfix for Orion after the company acknowledged over the weekend Orion software builds for versions 2019.4 through 2020.2.1, released between March and June had been compromised to allow the installation of a backdoor. The company has a FAQ page here.

SolarWinds estimates that of the 33,000 customers that use fewer than 18,000 installed the bad update. News reports also suggest those who created the malware exploited a small number of that. However, victims are believed to include some U.S. government departments and major companies such as cybersecurity firm FireEye.

Microsoft dubs the malware Solorigate. FireEye calls it Sunburst and issued a detailed examination of how it is exploited.

The Canadian Cyber Security Centre urges CISOs to follow the following FireEye advice: Ensure that SolarWinds servers are isolated and contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.

  • If SolarWinds infrastructure is not isolated, consider taking the following steps:
    • Restrict the scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
    • Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
    • Block Internet egress from servers or other endpoints with SolarWinds software.
  • Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers/infrastructure. Based upon further review/investigation, additional remediation measures may be required.
  • If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected/unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.

According to ZDNet, Microsoft, FireEye and GoDaddy seized and shut a domain used by the malware to communicate with a command and control server. That stops the attackers from using that domain to communicate with infected servers. In a statement FireEye called this a killswitch. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”

The SANS Institute also said there are lessons for CISOs who are running any network management system, including making sure that you’re not using domain accounts where unneeded, and that services can only reach necessary components, including restricting Internet access to only where explicitly needed.

Meanwhile, the Washington Post ran a story questioning why the U.S. government’s vaunted Einstein intrusion detection platform missed the exploitation. Einstein is run by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The story says agency officials told congressional staff Monday that the system did not have the capacity to flag the malware that was signalling back to its masters.

In addition security vendor Volexity recounts its work fighting an attacker at an unnamed U.S. think tank that used Orion which may shed more light.  Volexity worked three separate incidents involving a group it calls Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization’s Microsoft Exchange Control Panel. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July of this year.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now