• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft Explains How The SolarWinds Attacks Were Able To Be So Elusive For Months

In a new blog post, Microsoft security researchers explain how the SolarWinds attacks remained so elusive while they carried out their hacking operation.

January 22, 2021 Zachary Comeau Leave a Comment

Microsoft January Patch Tuesday
wolterke/stock.adobe.com

Cybersecurity experts from Microsoft have released a long, detailed blog about the SolarWinds compromise that includes new information that helps IT professionals better understand how the attack transpired.

The blog – a deep dive into how attackers moved from the initial backdoor and through customer networks – comes as the tech community continues to grapple with the effects of the compromise that has kept cybersecurity teams working around the clock to uncover the damage.

Microsoft’s findings also continue to illustrate just how sophisticated the attackers are.

The company published a previous blog that explored the malware that provided the backdoor into as many as 18,000 of SolarWinds’ customer networks and has detailed the hands-on-keyboard techniques attackers used on compromised endpoints using a second-stage payload – one of several custom Cobalt Strike loaders – including the loader that cybersecurity company FireEye calls Teardrop and a variant named Raindrop by Symantec.

According to the company, one missing link in the attack chain – which is being called Solorigate – is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.

“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection,” the researchers wrote in the blog.

The researchers used the cross domain optics of Microsoft 365 Defender to gain visibility across the entire attack chain in on complete and consolidated view.

The blog reiterates some facts that we already know: a fully functional Solorigate DLL backdoor was compiled at the end of February 2020 and pushed out to customers in late March. Attackers then removed the backdoor code from SolarWinds’ build environment in June 2020.

Read Next: Malwarebytes CEO Says SolarWinds Attackers Accessed Internal Company Emails

“Considering this timeline and the fact that the Solorigate backdoor was designed to stay dormant for at least two weeks, we approximate that the attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure,” researchers wrote. “This approximation means that real hands-on-keyboard activity most likely started as early as May.”

Removing the malicious code from SolarWinds binaries in June could indicate that attackers reached a sufficient number of targets, and their objective shifted from deploying and activating the backdoor to being operational on selected victim networks with hands-on keyboard activity using the Cobalt Strike implants.

What researchers didn’t know was how exactly the jump from the backdoor to the Cobalt Strike loader happened. The blog dives into the technical details, including what security teams need to look for to detect this activity.

The blog reinforces just how skillful the attackers are and the lengths to which they went to avoid detection.

“However, the attackers apparently deem the powerful SolarWinds backdoor too valuable to lose in case of discovery, so they tried to separate the Cobalt Strike loader’s execution from the SolarWinds process as much as possible,” researchers wrote. “Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed.”

Other techniques included methodic avoidance of shared indicators for each compromised host, camouflage and blending into the environment, disabling event logging and re-enabling afterward, preparing special firewall rules to minimize outgoing packets for certain protocol, enumerating remote processes and services running on target host and moving laterally, and using timestamping to change timestamps of artifacts.

Tagged With: SolarWinds

Related Content:

  • Ransomware Sophos, Dragos OT, Operational Technology Ransomware Continues to Disrupt Operational Technology Environments
  • Microsoft Build Teams 365 Microsoft Introduces New Collaborative App Capabilities for Teams,…
  • Verizon Ransomware Report Verizon Report Suggests Ransomware Is Getting Worse
  • Microsoft Passwordless, Password Security, managing passwords, high-level executives passwords The Most Common Password Used Amongst CEOs

Free downloadable guide you may like:

  • The State of the IT Department in 2022

    The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to making business decisions. Check out our new report to see what your peers in IT think about top concerns and opportunities in 2022.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

Hybrid Work Challenges
The Three Most Common Hybrid Work Challenges Two Years Into the Pandemic

Many of us have been working in a hybrid environment for two years now. Our editors thought this would be a good time to take a look at what’s work...

These 10 IT Certifications Are Critical To An IT Pro’s Success in 2022

Here are 10 cloud, data and security certifications that we identify as critical to an IT professional’s resume in 2022 and beyond, according to a ...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Terms of Use
  • Privacy Policy
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!

© 2022 Emerald X, LLC. All rights reserved.