Tuesday, December 22, 2020

Microsoft Responding to sophisticated cyberattacks

Microsoft is aware of a sophisticated attack that utilizes malicious SolarWinds software. On December 17, 2020, Brad Smith posted a blog sharing the most up to date information and detailed technical information for defenders.

As this is an ongoing investigation, Microsoft cybersecurity teams continue to act as first responders to these attacks. We know that customers and partners will have ongoing questions and Microsoft is committed to providing timely updates as new information becomes available. We will make updates through our Microsoft Security Response Center (MSRC) blog at https://aka.ms/solorigate.

There are a number of published resources to assist customers in securing their environments:

We have published a blog outlining this dynamic threat landscape and the principles with which we are approaching the investigation.

We have published an anchor blog with technical details of the attack. This blog will be updated with new information as the investigation continues. Customers should look to this blog as the one stop for updates on the sophisticated attack.

Microsoft Defender antivirus and Microsoft Defender for Endpoint have released protections for the malicious SolarWinds software and other artifacts from the attack.

Microsoft Azure Sentinel has released guidance to help Azure Sentinel customers hunt in their environments for related activity we have observed with this sophisticated attack.

Microsoft 365 Defender and Microsoft Defender for Endpoint customers should review the Threat Analytics article within the Defender console (sign-in is required) for information about detection and potential impact to their environments.

For any Microsoft Threat Experts (MTE) customers, where we have observed suspicious activity in the customers’ environments, we have completed Targeted Account Notifications.

If a customer has any product support related needs, please continue to direct them to Microsoft Support (CSS) who remain the primary place for all customer support needs.

For Identity professionals and Microsoft 365 admin, we have published a blog with guidance on how to protect Microsoft 365 from on-premises attacks.

Microsoft Blog Posts

December 13 - Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center

December 13 - Important steps for customers to protect themselves from recent nation-state cyberattacks

December 15 - Ensuring customers are protected from Solorigate

December 16 - SolarWinds Post-Compromise Hunting with Azure Sentinel - Microsoft Tech Community

December 17 - A moment of reckoning: the need for a strong and global cybersecurity response

December 18 - Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect - Microsoft Security

December 18 - Protecting Microsoft 365 from on-premises attacks

Advisories & Additional Resources

If your customer has a specific question regarding FireEye, please refer them to the FireEye Advisory.

If your customer has a specific question regarding SolarWinds, please refer them to the SolarWinds Advisory.

The Cybersecurity and Infrastructure Security Agency (CISA) has published a set of information and guidance here. For individual country-specific guidance, customers and partners should refer to information from the appropriate law enforcement or other government entity in that jurisdiction.