Microsoft Responding to sophisticated cyberattacks

Microsoft
is aware of a sophisticated attack that utilizes malicious SolarWinds software.
On December 17, 2020, Brad Smith posted a blog sharing the most up to date information
and detailed technical information for defenders.

As this is an ongoing investigation, Microsoft cybersecurity teams continue to
act as first responders to these attacks. We know that customers and partners
will have ongoing questions and Microsoft is committed to providing timely
updates as new information becomes available. We will make updates through our
Microsoft Security Response Center (MSRC) blog at https://aka.ms/solorigate.

There are a number of published resources to assist customers in securing their
environments:



We have published a blog outlining this dynamic threat landscape
and the principles with which we are approaching the investigation.

We have published an anchor blog with technical details of the attack.
This blog will be updated with new information as the investigation
continues. Customers should look to this blog as the one stop for updates on
the sophisticated attack.

Microsoft Defender antivirus and Microsoft Defender for
Endpoint have released protections for the malicious SolarWinds software and
other artifacts from the attack.

Microsoft Azure Sentinel has released guidance to help Azure Sentinel customers
hunt in their environments for related activity we have observed with this
sophisticated attack.

Microsoft 365 Defender and Microsoft Defender for Endpoint
customers should review the Threat Analytics article within the Defender console
(sign-in is required)
for information about detection and
potential impact to their environments.

For any Microsoft Threat Experts (MTE) customers, where we
have observed suspicious activity in the customers’ environments, we have
completed Targeted Account Notifications.

If a customer has any product support related needs, please
continue to direct them to Microsoft Support (CSS) who remain the primary
place for all customer support needs.

For Identity professionals and Microsoft 365 admin, we have
published a blog with guidance on how to protect Microsoft 365 from on-premises attacks.




Microsoft Blog Posts

December 13 – Customer Guidance on Recent Nation-State Cyber Attacks
– Microsoft Security Response Center

December 13 – Important steps for customers to protect themselves
from recent nation-state cyberattacks

December 15 – Ensuring customers are protected from Solorigate

December 16 – SolarWinds Post-Compromise Hunting with Azure Sentinel
– Microsoft Tech Community

December 17 – A moment of reckoning: the need for a strong and global
cybersecurity response

December 18 – Analyzing Solorigate, the compromised DLL file that
started a sophisticated cyberattack, and how Microsoft Defender helps protect
– Microsoft Security

December 18 – Protecting Microsoft 365 from on-premises attacks




Advisories
& Additional Resources




If your customer has a specific question regarding FireEye,
please refer them to the FireEye Advisory.

If your customer has a specific question regarding SolarWinds,
please refer them to the SolarWinds Advisory.

The Cybersecurity and Infrastructure Security Agency (CISA)
has published a set of information and guidance here. For individual country-specific
guidance, customers and partners should refer to information from the
appropriate law enforcement or other government entity in that jurisdiction.