Ensuring customers are protected from Solorigate

UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.

Microsoft is monitoring a dynamic threat environment surrounding the discovery of a sophisticated attack that included compromised binaries from a legitimate software. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices. We have established a resource center that is constantly updated as more information becomes available at https://aka.ms/solorigate.

On Sunday, December 13, Microsoft released detections that alerted customers to the presence of these malicious binaries, with the recommendation to isolate and investigate the devices. It is important to understand that these binaries represent a significant threat to customer environments. Customers should consider any device with the binary as compromised and should already be investigating devices with this alert.

Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices:

1. Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
2. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
3. Investigate how the affected endpoint might have been compromised.
4. Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.

If service interruption is not possible, customers must take the action below to exclude SolarWinds binaries. This should be a temporary change that you should revert as soon as you update binaries from the provider or complete your investigation.

 

For Microsoft Defender Antivirus via GPO Instructions:

PATH: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus (or Windows Defender Antivirus) > Threats > Specify threats upon which default action should not be taken when detected.

Value name: 2147771206

Value: 6

 

For SCEP via GPO instructions:

PATH: Computer Configuration > Administrative Templates > Windows Components > Endpoint Protection > Threats > Specify threats upon which default action should not be taken when detected.

Value name: 2147771206

Value: 6

Note: If you don’t see the “Endpoint Protection” section, see: Manage Endpoint Protection using Group Policies – Configuration Manager | Microsoft Docs

 

For Microsoft Defender Antivirus and SCEP via SCCM Instructions:

PATH: Assets and Compliance, Endpoint Protection > Antimalware Policies > Threat overrides > Enter Threat name: Trojan:MSIL/Solorigate.BR!dha

PATH: Assets and Compliance, Endpoint Protection > Antimalware Policies > <Select relevant policy> > Threat overrides > Enter Threat name: Trojan:MSIL/Solorigate.BR!dha

Override action: Allow

 

For MDAV via MEM using PowerShell Instructions:

1.  Create a PowerShell script with the following content:

Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

2. Name the script as follows: Allow_SolarWinds.ps1
3. Save it to a temporary location, such as C:\Temp.
4. Go to https://endpoint.microsoft.com and sign in.
5. Browse to Devices > Windows > PowerShell scripts.
6. Select +Add, and then specify the following settings:

Name: Allow SolarWinds temporarily

Description: Allow SolarWinds temporarily while patching

7. Select Next, and then browse to where you saved the PowerShell script (for example, C:\Temp\Allow_SolarWinds.ps1).
8. Run the script using the following settings:

Run this script using the logged on credentials: No

Enforce script signature check: No

Run script in 64-bit PowerShell Host: Yes

9. Select Next.
10. For Scope tag, use <default>.
11. Select Next.
12. For assignment, choose Select groups to include, and then select the security group that has your Windows 10 devices.
13. Choose Select, and then choose Next.
14. Review your settings, and then select Add.

Note: For MEM (Intune) PowerShell script troubleshooting, review: C:\ProgramData\Microsoft Intune Management Extension\Logs\IntuneManagementExtension.log

 

For manual Microsoft Defender Antivirus via PowerShell Instructions:

Launch PowerShell as Admin

Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

For manual SCEP via PowerShell Instructions:

Launch PowerShell as Admin

Import-Module “$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1”

Set-MProtPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

 

For Automatic remediation exclusions:

Go to Settings > Indicators >  File Hashes, and add the specific file hashes for the affected DLLs, select response action as Allow and Save.

 

Alternate exclusion option by path:

C:\Program Files (x86)\SolarWinds\Orion\

            OR

<solar_windows_custom_install_location>\Orion\

Note: If you configure exclusions based on folder location, make sure you remove this exclusion AS SOON AS POSSIBLE after you get remediated binaries from the vendor. Otherwise, you are leaving a place on your devices for future attacks.

 

Note for Microsoft Defender Antivirus in passive mode:

• If EDR in block mode is enabled and Microsoft Defender AV is in passive mode with third-party antivirus product, Microsoft Defender Antivirus will take action if not excluded per instructions provided
• If EDR in block mode is not enabled and Microsoft Defender Antivirus is in passive mode with third-party antivirus product, Microsoft Defender Antivirus will alert but no remediation action will take place.

 

Microsoft has been communicating with SolarWinds regarding this incident. SolarWinds has released updates to help customers mitigate this issue and has provided further customer recommendations and updated binaries for their product. More information is available at https://www.solarwinds.com/securityadvisory.

For more information and guidance from Microsoft, read:

• Important steps for customers to protect themselves from recent nation-state cyberattacks
• Customer guidance on recent nation-state cyberattacks