The speed, scope and scale of Microsoft’s response were unprecedented. Specifically, Microsoft did four things over the course of four days that effectively undid the work of the attackers.1) On Dec. 13, the day this became public, Microsoft announced (https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/) that it removed the digital certificates that the Trojaned files used. These digital certificates allowed Microsoft Windows systems to believe that those compromised files were trustworthy. In this single act, Microsoft literally overnight told all Windows systems to stop trusting those compromised files which could stop them from being used.2) That same day, Microsoft announced that it was updating Microsoft Windows Defender, the antimalware capability built into Windows, to detect and alert if it found the Trojaned file on the system.3) Next, on Tuesday, Dec. 15, Microsoft and others moved (https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/) to “sinkhole (https://en.wikipedia.org/wiki/DNS_sinkhole)” one of the domains that the malware uses for command and control (C2): avsvmcloud[.]com. SInkholing is a legal and technical tactic to deprive attackers of control over malware. In Sinkholing, an organization like Microsoft goes to court to wrest control of a domain being used for malicious purposes away from its current holder, the attacker.When successful, the organization can then use its ownership of that domain to sever the attacker’s control over the malware and the systems the malware controls. Sinkholed domains can also be used to help identify compromised systems: when the malware reaches out to the sinkholed domain for instructions, the new owners can identify those systems and attempt to locate and warn the owners. Sinkholing is a tactic that was first used in big attacks in the 2008-2009 battle against Conficker (https://en.wikipedia.org/wiki/Conficker) and has been a standard tactic in Microsoft’s toolkit for years, including most recently against TrickBot (https://www.zdnet.com/article/microsoft-and-other-tech-companies-orchestrate-takedown-of-trickbot-botnet/).4) Finally, today, Wednesday, Dec. 16, Microsoft basically changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine (https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/),” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it. This action is important, too, because it gives other security companies license now to follow suit with this drastic step: Microsoft’s size and leadership of its platform give cover to other security companies that they wouldn’t otherwise have.Taken together, these steps amount to Microsoft first neutralizing and then killing the malware while wresting control over the malware’s infrastructure from the attackers. By the end of this week, the attackers will be left with barely a fraction of the systems under their control.They may still have access to compromised networks through other means: that’s what incident responders are likely working on now. And there’s no undoing whatever they did while the infiltration went unnoticed for months. But still, these actions together come as close to obliterating an attack as we’ve seen, which is all the more notable because of the likely attackers.In the end, this all reminds us how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world nearly overnight if it wants to. And when it chooses to train that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast.Fortunately these days, Microsoft is sparing in its use of its power. But as I’ve noted before, we should never mistake Microsoft’s gentleness for weakness (https://www.geekwire.com/2020/pluton-processor-microsoft-shows-strength-proves-trustworthy-computing-still-matters/).And anyway, what’s the point in having a Death Star if you don’t get to use it (for good) sometimes?
https://upload.wikimedia.org/wikipedia/en/f/f9/Death_star1.png

https://www.geekwire.com/2020/microsoft-unleashes-death-star-solarwinds-hackers-extraordinary-response-breach/?fbclid=IwAR2w9iaQeONRVdKS-Ivjty0u1CdY-Ho7ZVN_2CtC4E5nxPALArRKWkd7oOI

Hi

The extent of this compromise, the time that the miscreants were inside critical systems, and the sophistication of this piece of malware is unprecedented. The extent and damage is still being accessed. Sys Admins, Cyber Sec specialists are probably flat out and there are many very worried Govt Depts, Military sites and big companies. It really is a huge FU. When 330,000 customers use one Network Monitoring system from one company then it does not take precognition to see a weakness in that.

And I think Putin should give the hackers a weeks holiday in some luxurious accommodation at some nice Black Sea resort and a nice medal. The hackers have probably exceeded their job performance expectations this year :-)

Mike

The extent and damage is still being accessed.

And will likely never be actually calculated. This was a particularly clever piece of Malware used in a targeted and elegantly devious manner.

As for the "Yay Microsoft" cheer squad.... Woohoo, they did what any responsible organisation in their position should. They invalidated a compromised certificate, updated their anti-malware signatures and pushed them out as an update (which organisations will deploy at their leisure. They also colaborated with other organisations in taking down an element of the command and control structure (the bit they know about anyway). Given Microsofts propensity for breaking stuff with updates, most responsible orgnisations validate these updates before deploying them), so who knows when they'll be comprehensively covered?

Microsoft were running the compromised code also, so who knows? The attackers might have one of their signing certificates. The attack was done in such a manner as the extent of exfiltration would be practically impossible to quantify.

This is the Philby of malware.

English please gentleman

English please gentleman

Some clever and probably well funded (at or to a State level) bad men developed some very nasty software that allowed them to steal unquantified and probably untraceable buckets of information from up to 300,000 organisations globally. Nobody knows which or how many of these were compromised, nor what (if anything) was taken. The sort of data lost could range from cat pictures to the US nuclear codes. Bad, naughty men!

Gasp! You mean.........you're saying..........you're telling me that a foreign power may quite possibly have my AULRO password!

Oh, will this subterfuge never end?