Microsoft has found more than 40 of its customers — including itself — whose systems have been compromised by leveraging the SolarWinds Orion platform update vulnerability known as Solorigate/Sunburst.
In a Dec. 17 blog post, company president Brad Smith said that by using indicators of compromise in Windows Defender anti-virus, it has been able to identify and notify these organizations.
About 80 per cent of them are in the United States, but there are also victims in Canada, the United Kingdom, Mexico, Belgium, Spain, Israel and the United Arab Emirates.
“It’s certain that the number and location of victims will keep growing,” Smith added.
Late Thursday, Microsoft revealed that it, too, was on the list. “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” Reuters quoted a Microsoft spokesperson as saying. The unnamed source also said the company had found “no indications that our systems were used to attack others.”
Government agencies were not the only targets of the attackers, believed to be a nation-state. Of the firms identified by Microsoft, 44 per cent were in the IT sector, 18 per cent were government departments, 18 per cent were non-government organizations or think tanks and nine per cent were government contractors.
Solorigate/Sunburst is a backdoor created by compromising updates to SolarWinds’ Orion network management platform earlier this year with a digitally-signed certificate. It was discovered by FireEye during an investigation into how its red team tools had been compromised. SolarWinds estimates that 17,000 Orion users may have installed the update. However, it believes the attacker exploited a smaller number of those and got into their networks.
Kaspersky said it’s software identified 100 of its customers that had recieved the Orion update. However none of them had recieved the second stage of the attack.
SolarWinds has issued a hotfix.
“The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them,” Smith wrote in his blog. “The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.”
Smith was also highly critical of cybersecurity companies that make and sell sophisticated network intrusion and surveillance tools to governments, and nation-states targeting COVID-19 research by universities and the pharmaceutical industry.
“Put together, these three trends point to a cybersecurity landscape that is even more daunting than when the year began. The most determined nation-state attackers are becoming more sophisticated. Risks are both growing and spreading to other governments through new private sector companies that aid and abet nation-state attackers. And nothing, not even a pandemic, is off-limits to these attackers,” Smith wrote.
He called on the public and private sectors to work closer, including better sharing of threat intelligence. Internationally, “the U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law,” he added.
While the infected Orion updates were released between March and June, researchers at Reversing Labs found evidence that tampering with the platform’s software code and code signing infrastructure dates back to October 2019. That version of the update didn’t include the malicious backdoor code now known as Solorigate/Sunburst, they said in a blog, but it did contain the .NET class that would eventually host it.
“This first code modification was clearly just a proof of concept,” said the researchers. “Their three-step action plan: Compromise the build system, inject their own code, and verify that their signed packages are going to appear on the client-side as expected. Once these objectives were met, and the attackers proved to themselves that the supply chain could be compromised, they started planning the real attack payload.
“The name of the class, OrionImprovementBusinessLayer, had been chosen deliberately. Not only to blend in with the rest of the code, but also to fool the software developers or anyone auditing the binaries. That class, and many of the methods it uses, can be found in other Orion software libraries, even thematically fitting with the code found within those libraries. This implies not only the intent to remain stealthy, but also that the attackers were highly familiar with the code base.”
For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process, Reversing Labs said.
Meanwhile, in a blog a senior security researcher at Domain Tools noted that an initial infection doesn’t guarantee compromise. An attacker has to take some measure of control over infected devices and be able to move laterally within the network to other sources of value for collection or other objectives, he argued. “All of this activity, even if initial intrusion leapfrogs a large number of controls and monitoring points, leaves traces for detection and response.”