In the last days, The Hack reported cyber invasions targeting FireEye and subsequently several US government entities. Although the investigations are still ongoing, everything indicates that this chain of attacks was only possible thanks to the commitment of software from SolarWinds, a global leader in the provision of IT services and that has more than 300 thousand customers around the world.
Microsoft is also a customer of the brand, and on Thursday (17), revealed to have been another victim of the malicious maneuver. “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we have detected malicious SolarWinds binaries in our environment, which we have isolated and removed. We found no evidence of access to production services or customer data, ”he says.
According to the Mountain View Giant, investigations to date show that, it seems, their systems and resources were not used to attack third parties. It is worth noting that, on the same day, Brad Smith, the company’s current president, published a long statement describing this episode as “a reckoning moment” and highlighting Microsoft’s efforts to combat this malicious actor.
“Unfortunately, the attack represents a broad and successful espionage-based onslaught both against confidential US government information and the technology tools used by companies to protect it. The attack is ongoing and is being actively investigated and addressed by cyber security teams in the public and private sectors, including Microsoft, ”explains Brad.
Besides revoke certificates for trojanized files and update Windows Defender to identify malicious versions of the SolarWinds Orion Platform plugin, she also entered into a partnership with the domain manager GoDaddy to control the domain avsvmcloud[.]com, which was being used by criminals to manage their command and control center (C2).
Furthermore, Brad points out that he has identified at least 40 SolarWinds customers who have been attacked “more precisely” and who have been “compromised through additional sophisticated measures”. These consumers have already been notified; 80% of them are based in the USA, but there are also companies in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.
The wave of attacks, which began to be identified on the 8th of this month, still remains with several unknowns. Apparently, we are seeing a coordinated attack by the Russian state hacking group APT29 (better known as Cozy Bear) to the US government and companies that provide information technology and cybersecurity services.
To start the attack, the attackers managed, in some way, to compromise the software compilation and distribution system of SolarWinds, a multinational that provides services not only to several companies linked to the US government, but also to the public entities themselves. Once successful in that commitment, the actors infected a plugin for the SolarWinds Orion platform with a trojan.
The malicious version of the plugin – which, according to estimates, has been downloaded at least 18,000 times – creates a backdoor on the victim’s system via malware that was named Solorigate by Microsoft and SUNBURST by FireEye. As such, the maneuver is categorized as a supply chain attack, as SolarWinds (supplier) was attacked simply as a means of reaching the primary target (customer).
See the original post at: https://thehack.com.br/microsoft-tambem-foi-vitima-de-ataque-cibernetico-que-comprometeu-a-solarwinds/?rand=48873