Microsoft to quarantine SolarWinds apps linked to recent hack

After only showing detection alerts, Microsoft moves to block trojanized SolarWinds apps from running, opening the door for some IT issues for some of its customers.
Written by Catalin Cimpanu, Contributor
Image: SolarWinds

Microsoft announced plans to start forcibly blocking and isolating versions of the SolarWinds Orion app that are known to have contained the Solorigate (SUNBURST) malware.

Microsoft's decision is related to the massive supply chain attack that came to light over the weekend and impacted IT software vendor SolarWinds.

Also: Best VPNs

On Sunday, several news outlets reported that hackers linked to the Russian government breached SolarWinds and inserted malware inside updates for Orion, a network monitoring and inventory platform.

Shortly after news reports went live, SolarWinds confirmed that Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware.

Following the company's official statement, Microsoft was one of the first cybersecurity vendors to confirm the SolarWinds incident. On the same day, the company added detection rules for the Solorigate malware contained within the SolarWinds Orion app.

However, these detection rules only triggered alerts, and Microsoft Defender users were allowed to decide on their own what they wanted to do with the Orion app.

Trojanized SolarWinds apps to be isolated starting tomorrow

However, in a short blog post on Tuesday, Microsoft says it has now decided to forcibly put all Orion app binaries in quarantine.

"Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running," Microsoft said.

The OS maker said it took this decision for the benefit of its customers, even if it expects the decision to cause some crashes for network monitoring tools in sysadmin rooms.

"It is important to understand that these binaries represent a significant threat to customer environments," the company said.

"Customers should consider any device with the binary as compromised and should already be investigating devices with this alert," it added.

Microsoft recommended that companies remove and investigate devices where the trojanized Orion apps were installed. The advice is in line with a DHS emergency directive published on Sunday, where the Cybersecurity and Infrastructure Security Agency recommended the same thing.

In SEC documents filed on Monday, SolarWinds estimated that at least 18,000 customers installed the trojanized Orion app updates and most likely have the Solorigate (SUNBURST) malware on their internal networks.

On the vast majority of these networks, the malware is present but dormant. The SolarWinds hackers only choose to deploy additional malware on the networks of a few high-value targets. Currently known victims of this group's attacks include:

  • US cybersecurity firm FireEye
  • The US Treasury Department
  • The US Department of Commerce's National Telecommunications and Information Administration (NTIA)
  • The Department of Health's National Institutes of Health (NIH)
  • The Cybersecurity and Infrastructure Agency (CISA)
  • The Department of Homeland Security (DHS)
  • The US Department of State
Editorial standards