Bose Work Remote Promo
Bose Work Remote Mobile Promo
Take Our Survey on Your IoT/Collaboration Plans & You Could Win a 60" 4K UHD Display!
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Downloads
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft Explains How The SolarWinds Attacks Were Able To Be So Elusive For Months

In a new blog post, Microsoft security researchers explain how the SolarWinds attacks remained so elusive while they carried out their hacking operation.

January 22, 2021 Zachary Comeau Leave a Comment

Microsoft Data Center

Cybersecurity experts from Microsoft have released a long, detailed blog about the SolarWinds compromise that includes new information that helps IT professionals better understand how the attack transpired.

The blog – a deep dive into how attackers moved from the initial backdoor and through customer networks – comes as the tech community continues to grapple with the effects of the compromise that has kept cybersecurity teams working around the clock to uncover the damage.

Microsoft’s findings also continue to illustrate just how sophisticated the attackers are.

The company published a previous blog that explored the malware that provided the backdoor into as many as 18,000 of SolarWinds’ customer networks and has detailed the hands-on-keyboard techniques attackers used on compromised endpoints using a second-stage payload – one of several custom Cobalt Strike loaders – including the loader that cybersecurity company FireEye calls Teardrop and a variant named Raindrop by Symantec.

According to the company, one missing link in the attack chain – which is being called Solorigate – is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.

“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection,” the researchers wrote in the blog.

The researchers used the cross domain optics of Microsoft 365 Defender to gain visibility across the entire attack chain in on complete and consolidated view.

The blog reiterates some facts that we already know: a fully functional Solorigate DLL backdoor was compiled at the end of February 2020 and pushed out to customers in late March. Attackers then removed the backdoor code from SolarWinds’ build environment in June 2020.

Read Next: Malwarebytes CEO Says SolarWinds Attackers Accessed Internal Company Emails

“Considering this timeline and the fact that the Solorigate backdoor was designed to stay dormant for at least two weeks, we approximate that the attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure,” researchers wrote. “This approximation means that real hands-on-keyboard activity most likely started as early as May.”

Removing the malicious code from SolarWinds binaries in June could indicate that attackers reached a sufficient number of targets, and their objective shifted from deploying and activating the backdoor to being operational on selected victim networks with hands-on keyboard activity using the Cobalt Strike implants.

What researchers didn’t know was how exactly the jump from the backdoor to the Cobalt Strike loader happened. The blog dives into the technical details, including what security teams need to look for to detect this activity.

The blog reinforces just how skillful the attackers are and the lengths to which they went to avoid detection.

“However, the attackers apparently deem the powerful SolarWinds backdoor too valuable to lose in case of discovery, so they tried to separate the Cobalt Strike loader’s execution from the SolarWinds process as much as possible,” researchers wrote. “Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed.”

Other techniques included methodic avoidance of shared indicators for each compromised host, camouflage and blending into the environment, disabling event logging and re-enabling afterward, preparing special firewall rules to minimize outgoing packets for certain protocol, enumerating remote processes and services running on target host and moving laterally, and using timestamping to change timestamps of artifacts.

Tagged With: SolarWinds

Related Content:

  • FireEye Microsoft SolarWinds FireEye, Microsoft Detail Additional Malware Linked to SolarWinds…
  • Microsoft Teams AVI-SPL, Unify Square To Co-Deliver Microsoft Teams User…
  • Nureva HDL300 Audio Conferencing System Nureva HDL300 Audio Conferencing Systems Covers Nearly 30…
  • AV installers, intelligent automation benefits, definition, knowledge management automation How Knowledge Management Automation Is Key to Post-Pandemic…

Free downloadable guide you may like:

  • Introducing the IT Pro MBA: Vetting Technology

    At some point in your career there is going to come a time when you are tasked with reviewing and vetting new tech to implement into your company. Sometimes the hardest part of the whole thing is just getting started. In this new series from My TechDecisions, the IT Pro MBA: Vetting Technology guide deep-dives […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Introducing the IT Pro MBA: Vetting Technology

At some point in your career there is going to come a time when you are tasked with reviewing and vetting new tech to implement into your company. ...

9 Technology Products to Help Combat COVID-19 Spread in the Workplace

As the Coronavirus continues on and leads us further into uncertainty, the question remains, “when do we return to the office?” For some the answer...

Top 9 Reasons Enterprise IT Leaders Are Moving Their Video Surveillance to the Eagle Eye Cloud

Working in IT has enough challenges without adding in the complications of surveillance video. Things like total cost of maintenance, how the VMA m...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Terms of Use
  • Privacy Policy
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!

© 2021 Emerald X, LLC. All rights reserved.