Posted on December 18, 2020 at 11:38 AM
Microsoft revealed it discovered a malicious software version of the SolarWinds software in its system but doesn’t think hackers have used its system to attack users.
According to reports, the malicious version was planted by suspected Russian hackers who have launched attacks on several US government agencies.
They took advantage of the prevalent use of networking management software from SolarWinds.
Microsoft spokesperson commented on the situation and stated that the malicious software has been isolated and removed.
“We can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” the spokesperson pointed out.
Orion is a popular networking management software designed by SolarWinds. It is used by a wide range of companies, including US.-based Redmond.
Attackers are leveraging cloud services
Sources close to the Microsoft situation said the tech giant also has products leveraged to the attacked victims. And yesterday, the U.S. National Security Agency (NSA) issued an advisory by providing details about the infiltration of a Microsoft Azure cloud service by hackers. The threat actors are using the cloud service to tell users to shut down their systems.
A close source also revealed that the threat actors may be utilizing Microsoft cloud offerings and avoiding the company’s corporate infrastructure.
When Microsoft was contacted for a response about the technique used by the hackers, the company did not respond.
But another close source familiar with the situation said Microsoft is not likely the main target as an avenue for new malware infections. The source also said the Department of Homeland Security (DHS) also thinks so.
DHS and Microsoft immediately launched an investigation into the matter, and the investigation is still ongoing.
Also, the FBI and other security agencies will be having an emergency meeting with members of Congress to discuss the issue and other cybersecurity problems later today.
Malware doesn’t impact U.S. national security
The U.S. Energy Department also revealed that the threat actors could have accessed its network as part of the malware campaign.
A spokeswoman at the U.S. Energy Department revealed that the malware does not impact the NNSA or the U.S. national security as it has been isolated to business network.
According to DHS, apart from corrupting SolarWind’s network management software, the threat actors have also employed other methods.
CISA affirmed that the threat actors did not impact all the organizations they were able to compromise. It also told investigators not to conclude that organizations were safe if they haven’t deployed the recent versions of the SolarWinds software.
The safe thing to do now, according to CISA, is to install the latest updated software from SolarWinds.
The agency also revealed that it is still analyzing the other strategies the attackers have used. Through the analysis, CISA discovered that the threat actors are known to monitor email and other data from U.S. government organizations, including Homeland Security and Commerce, the Treasury Department, as well as U.S. departments of Defense.
According to the report, 18,000 Orion customers have already downloaded the malware-infested software containing the backdoor. Since the hacking campaign was uncovered, software firms have stopped processing information using the backdoors controlled by hackers.
But CISA said the hackers may have found another way to maintain access.
Attackers were careful to hide logs
CISA along with some security firms such as FireEye has released clues that will aid organizations to detect if their systems are also affected.
However, hackers have been cautious in their actions. They have deleted electronic footprints or logs that would have traced the infiltration. It makes it even more difficult to detect what has been hit.
Meanwhile, some organizations said there is no clue they were infected, but it doesn’t mean they are safe because of a lack of evidence. Some of those organizations may have been affected but the hackers have carefully deleted the logs.
Members of the Congress will be meeting today to demand for details about the situation and what may have been hit.