State-sponsored campaign is shaping to be one of the most devastating ever
Microsoft Corp says its systems were infected with malware emanating from the SolarWinds breach, a springboard for attacks launched against US government agencies and other enterprises that have emerged over recent days.
First reported yesterday (December 17) by Reuters, the Microsoft compromise appears to have been precipitated by a trojan lurking within updates to Orion, SolarWinds’ enterprise network management software.
In a statement, Microsoft confirmed that it had “detected malicious SolarWinds binaries in our environment, which we isolated and removed”.
The tech giant said it had “not found evidence of access to production services or customer data,” and – although Reuters cited sources claiming otherwise – said it had “found absolutely no indications that our systems were used to attack others.”
The US National Security Agency has published a security advisory advising Microsoft Azure customers that some Microsoft cloud services may have been compromised. The alert goes on to offer detection and remediation advice.
Trail of destruction
The recently discovered supply chain attack campaign, which could have begun as early as March, compromised the networks of the US Department of Homeland Security (DHS), and the Treasury, Commerce and energy departments.
Last week cyber threat detection firm FireEye became the first organization to reveal that it had fallen prey to the attacks.
The attacks have been linked to Russian state-sponsored cybercrime gang APT29 (AKA Cozy Bear).
Peeling back the layers of the Orion
Orion is used to monitor and manage enterprise network assets such as servers, workstations, mobiles, and IoT devices.
SolarWinds customers also include the Pentagon, NASA, the Department of Justice, the Office of the President of the United States, all five branches of the US military, and 425 of the US Fortune 500.
In SEC documents filed on December 14, SolarWinds said that about 18,000 of 33,000 Orion customers had downloaded updates that contained the back door.
SolarWinds has issued a security advisory advising customers on affected products, applying security updates, and mitigation steps.
Sophisticated cyber tradecraft
However, in a security advisory issued yesterday, CISA said it had identified potential access vectors other than Orion.
FireEye, it noted, has found that the adversary is thwarting detection and network analysis efforts with techniques including steganography, the usage of compromised or spoofed tokens for lateral movement, and time threshold checks to introduce unpredictable delays between C2 communication attempts.
“Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.”
Lior Div, CEO and co-founder of cybersecurity outfit Cybereason, advised organizations that if they “fit the profile of a ‘high-value target’” to “initiate threat hunting and compromise assessments”.
The attacks, he added, demonstrate “what’s possible when threat actors gain access to a major vendor's supply chain such as Solar Winds, with more than 300,000 customers.”
The discovery of the presumed cyber-espionage effort coincides with a period in which the US federal government has been distracted by the presidential election, the transition between administrations, and efforts to “combat disinformation campaigns tied to COVID-19 research and vaccine dissemination”.
Confirmed victim count rising
In a blog post published yesterday, Microsoft president Brad Smith said the company was notifying more than 40 customers in the US and beyond that the attackers had targeted.
He said it was “certain” that more victims would emerge as investigation into the attack continue.
The attacks highlighted the “lack a formal and cohesive national strategy for the sharing of cybersecurity threat intelligence between the public and private sectors”, he added.
The House Homeland Security Committee has launched an investigation into the attacks and the FBI is expected to deliver a classified briefing to Congress today (Friday).
The Daily Swig has contacted Microsoft for further comment and will update the article if and when we hear back.