Microsoft is playing a pivotal role in handling corrupt versions of the SolarWinds Orion app that are infected with the Solorigate (SUNBURST) malware. Over the weekend, a major supply chain attack was discovered exploiting SolarWinds, a software seller for IT services.
Reports point to a Russia-backed threat group have placed malware on the company's Orion application. This app is used by SolarWinds users for network monitoring purposes. The company later confirmed the app versions 2019.4 to 2020.2.1 were breached with the Solorigate malware.
Microsoft was quick to pick up on the problem. The Redmond giant placed protocols for detecting the malware. These were limited to simply sending alerts to Microsoft Defender users. Following an alert the user can take action to remove the Orion app.
Furthermore, Microsoft worked with other tech companies to seize and take down a domain that was crucial in the breach. The site, avsvmcloud.com was a server for the Solorigate malware, and sent the infection to nearly 18,000 Orion users.
Microsoft has now decided to take its defense against the malware a step further. Instead of just warning Microsoft Defender users, the company has now removed all Orion app binaries. On Microsoft Defender, the binaries are now held in quarantine.
“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running,” Microsoft says.
“It is important to understand that these binaries represent a significant threat to customer environments,” the company adds.
“Customers should consider any device with the binary as compromised and should already be investigating devices with this alert.”
Tip of the day:
Did you know you can also use OneDrive to save folders and files in the cloud which are located outside the main OneDrive-folder. Check out our step-by-step tutorial to use this practical method also for your Windows 10-PC.