Microsoft has become the latest victim of the ever-widening Solar Winds-driven cyber-attack, that has affected various US Federal Agencies & tech targets. Its president, Brad Smith, warned last Thur. to expect many more victims to come to light as investigations continue.
The ongoing, growing campaign is “effectively an attack on the US & its govt. & other critical institutions,” Microsoft cautioned.
Orion Network
Adversaries were able to use Solar Winds’ Orion network management platform to infect users with a stealth backdoor called “Sunburst” or “Solorigate,” that opened the way for lateral movement to other parts of a network.
It was distributed via trojanised product updates to almost 18,000 organisations around the globe, starting 9 months ago. When embedded, the attackers have been able to pick & choose which organizations to further penetrate.
“Like other Solar Winds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated & removed,” a Microsoft spokesperson commented in a media statement.
Kill Switch
Microsoft & Fire Eye have created a “kill switch” for the backdoor that can defang it — though that does not help remediate infections that have spread to other areas of networks.
In a blog, Smith described the “broad & successful espionage-based assault” as “ongoing” & “remarkable for its scope, sophistication & impact.”
Smith also noted, “we should all be prepared for stories about additional victims in the public sector & other enterprises & organisations.”
Regarding this, he revealed that Microsoft has so far notified 40 of its security customers that its products have found indicators of ‘compromise’ on their networks, & that the attackers targeted them “more precisely & compromised through additional & sophisticated measures,” with more victims to follow.
Mainly US
Circa 80% of those customers have been located in the US, Smith observed, with the remaining located in Canada & Mexico in N. America; Belgium, Spain & the UK in Europe; & Israel & the UAE in the Middle East. They are govt. agencies, security & other technology firms, & non-governmental organisations.
The supply-chain attack method used for initial access (the Solar Winds’ Orion software) also let the attackers to reach “many major national capitals outside Russia,” Smith commented. “This also illustrates the heightened level of vulnerability in the US.”
This campaign is “effectively an attack on the US & its govt. & other critical institutions,” he cautioned.
US Federal Bodies
So far, there are 6 US Federal bodies that have been affected by this attack: The Pentagon, the US Dept. of Energy, the US Dept. of Homeland Security, the US National Institute of Health, the US Dept. of Treasury, & the US Dept. of Commerce.
Microsoft’s update comes as the US Cybersecurity & Infrastructure Security Agency (CISA) warned that there could be additional initial-access vectors used by the attackers, beyond the Solar Winds Orion platform.
CISA
“CISA has evidence of additional initial access vectors, other than the Solar Winds Orion platform; however, these are still being investigated,” it commented in an updated bulletin last Thur.
Sources told Reuters that the hackers used Microsoft’s Azure cloud offerings as part of their attacks, but the Microsoft spokesperson explained that there are “no indications that our systems were used to attack others.”
Unprepared?
Within a report breaking the news that the US DoE, keeper of the US nuclear arsenal, has been impacted by the attack, sources suggested that CISA admitted that it was ‘overwhelmed’ & lacked the resources to properly respond.
It is also affected by a lack of leadership. Its top official, Christopher Krebs, was fired for calling the 2020 US Presidential Election ‘secure’ & has not been replaced.
This adds to an already ‘chaotic’ cyber-security posture in the US Federal Govt., Smith noted.
“It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cyber-security strategy,” Smith observed. “While parts of the Federal Govt. have been quick to seek input, information sharing with 1st responders in a position to act has been limited.
9/11 Commission
During a cyber-incident of national significance, we need to do more to prioritise the information-sharing & collaboration needed for swift & effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.”
US Secretary of State Mike Pompeo noted on Sat. that Russia is likely behind the attacks. Fire Eye CEO Kevin Mandia commented last week that “We are witnessing an attack by a nation with ‘top tier’ offensive capabilities.” Smith observed that Microsoft has reached the very same conclusion.
Russian Intelligence
As for which govt. is behind the attacks, researchers & US lawmakers alike, referencing the highly sophisticated nature of the attack, have said the intrusions were ‘likely’ carried out by Russian intelligence, though the US has not ‘officially’ made any attribution.
A classified briefing from the FBI & other agencies for members of the US Congress on the attacks was scheduled for last Fri.
https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/
