Microsoft is preparing to quarantine malicious versions of the SolarWinds Orion application used in recent nation state attacks, in a move that may crash systems.
The computing giant had previously released detections to alert customers of its Windows Defender security product if they were running the malicious updates. Although it was recommended that such customers isolate and investigate any such devices, the decision was down to them.
However, in an update yesterday Microsoft effectively said it was taking the decision out of the hands of its customers.
“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” it said.
“This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service.”
Over the weekend reports emerged that a previous attack on FireEye was part of a much larger Russian intelligence plot to steal sensitive information from US government and countless other unnamed organizations.
The vector was Orion updates which the attackers managed to seed with malicious binaries used to install the Sunburst (aka Solarigate) backdoor malware. SolarWinds confirmed to the SEC that 18,000 customers were affected.
However, as the product performs crucial network management operations, Microsoft’s decision could theoretically cause some disruption.
“It is important to understand that these binaries represent a significant threat to customer environments,” it argued. “Customers should consider any device with the binary as compromised and should already be investigating devices with this alert.”
Microsoft urged victim organizations to immediately isolate affected devices, identify accounts used on the device and assume they have been compromised, reset passwords, look for lateral movement tools and more.
We're Datek Solutions
Since 1998 we have been managing IT support, solutions and strategy for a range of clients. We have won awards for our excellent customer service and pride ourselves on being transparent. What you see, is what you get.
What makes us different? We don’t use a one-size fit all approach. We get to know your business and everyone in it, what it needs and how we can support you to give the best solutions at the best possible prices.
Above all this, we are committed to keeping it simple for you. If there’s a solution that your company needs, or you already have and it’s essential we support it, we make sure we know everything there is to know about it.
Contact us on 01753 540000 or email us at contactus@datek.co.uk.
News Source: https://www.infosecurity-magazine.com/
