Microsoft is now blocking the Sunburst backdoor used in the SolarWinds cyberattack that has claimed numerous victims worldwide.
The Sunburst backdoor is a key feature of the ongoing supply-chain attack, and the release of a global malware signature should considerably reduce the threat.
What Is the SolarWinds Cyberattack?
In December 2020, numerous US government agencies announced that they were the victim of an extensive hacking operation. The backdoor for the attack was inserted using a malicious update via the SolarWinds Orion IT management and remote monitoring software.
At the time of writing, the SolarWinds hack has claimed the US Treasury, along with the Departments of Homeland Security, State, Defence, and Commerce as victims, with the potential for more revelations.
The true extent of the SolarWinds attack isn't yet known. Speaking to the BBC, cybersecurity researcher Prof Alan Woodward said, "Post Cold War, this is one of the potentially largest penetrations of Western governments that I'm aware of."
What Is the Sunburst Backdoor?
Such a vast attack took months, if not years of planning. The attack was set into motion with the delivery of an undiscovered malicious update to SolarWinds Orion software.
Unbeknownst to SolarWinds and their users, many of whom are government departments, a threat actor had infected an update.
The update was rolled out to at least 18,000 and potentially up to 300,000 customers. When activated, the update triggered a trojanized version of the Orion software, allowing the attacker access to the computer and the wider network.
This process is known as a supply-chain attack. The hack was discovered by FireEye, who were themselves victim to a related high-profile data breach in December 2020.
The FireEye report summary reads:
The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind's Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft.
Sunburst, then, is the name FireEye are tracking the cyberattack with, and the name given to the malware distributed through the SolarWinds software.
How Is Microsoft Blocking the Sunburst Backdoor?
Microsoft is rolling out detections for its security tools. Once the malware signature rolls out to Windows Security (formerly Windows Defender), computers running Windows 10 will have protection from the malware.
As per the Microsoft 365 Defender Threat Intelligence Team blog:
Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running.
Microsoft also offers the following additional security steps if you encounter the Sunburst malware:
- Immediately isolate the infected device or devices. The chances are that if you find the Sunburst malware, your device is likely under the control of an attacker.
- If any accounts were used on the infected device, you should consider these compromised. Reset any password relating to the account or decommission the account entirely.
- If possible, begin investigating how the device was compromised.
- If possible, begin searching for indicators that the malware has moved to other devices, known as lateral movement.
For most people, the first two security steps are the most important. You can also find more security information on the SolarWinds site.
There is no confirmation of the attackers' identity, but the work is believed to be the work of a highly sophisticated and well-resourced nation-state hacking team.
