Microsoft has announced it is aware of a sophisticated supply chain attack that has targeted a variety of victims over the past year. The attack utilises malicious SolarWinds (Orion® Platform) files that possibly gave cybercriminals access to some victims’ networks. Microsoft cybersecurity experts are investigating the attack to help ensure that Microsoft customers are as secure as possible.
Microsoft – Responding to sophisticated cyberattacks (SolarWinds Orion Platform)
On December 17, 2020, Brad Smith posted a blog sharing the most up to date information and detailed technical information for defenders.
SolarWinds was the victim of a cyberattack to their systems that inserted a vulnerability (SUNBURST) within the Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.
Bob Potter, Operations Director, Turnkey has stated:
“Whilst we do use Solarwinds products we don’t currently and have never used the SolarWinds Orion Suite of products that are the focus of the current Security Advisory.
We extensively use SolarWinds MSP products as part of our support portfolio. Those SolarWinds products used are listed in the Security Advisory as not known to be affected. You can review the full list here.
We will continue to monitor the situation through our normal channels and will react promptly to any appropriate directives issued by SolarWinds.”
Turnkey Infrastructure Solutions – here for our customers
As a certified Microsoft partner, we are already working closely with our customers to ensure they are best protected on a daily basis. We’ve recently been asked:
Q: Does ESET protect me from the SolarWinds supply-chain attack?
A: ESET software detects and blocks all known variants of MSIL/SunBurst.A. Read the support blog from ESET.
Deeper technical overview from Microsoft
Microsoft has published a number of technical resources to assist customers in securing their environments:
- Important steps for customers to protect themselves from recent nation-state cyberattacks. Microsoft explains the principles with which they are approaching the investigation.
- Understanding the technical details of the attack. Microsoft will continue to update this anchor blog with new information as the investigation continues. Customers should look to this blog as the one-stop for updates on the sophisticated attack.
- Microsoft Defender antivirus and Microsoft Defender for Endpoint have released protections for the malicious SolarWinds software and other artifacts from the attack.
- Microsoft Azure Sentinel has released guidance to help Azure Sentinel customers hunt in their environments for related activity we have observed with this sophisticated attack.
- Microsoft 365 Defender and Microsoft Defender for Endpoint customers should review the Threat Analytics article within the Defender console (sign-in is required) for information about detection and potential impact to their environments.
- For any Microsoft Threat Experts (MTE) customers, where Microsoft has observed suspicious activity in the customers’ environments, they have completed Targeted Account Notifications.
- For Identity professionals and Microsoft 365 admin, Microsoft has published a blog with guidance on how to protect Microsoft 365 from on-premises attacks.