Microsoft has released its current findings into the SolarWinds attack that continues to shake the global cybersecurity industry.
So far, the technology firm has been able to outline attack methods, malware (opens in new tab) strains, and mitigation strategies but continues to stress that the full extent of the cyberattack remains unknown.
According to Microsoft’s investigation, the SolarWinds attack was able to take place due to a compromised DLL file associated with the Orion infrastructure management platform. The insertion of malicious code into this file created a backdoor for hackers to exploit, allowing them to subsequently carry out a hands-on keyboard attack.
- Here's our list of the best malware removal (opens in new tab) software on the market
- Check out our list of the best antivirus (opens in new tab) services around
- We've built a list of the best endpoint protection (opens in new tab) services out there
“In many of their actions, the attackers took steps to maintain a low profile,” the Microsoft 365 Defender Research Team explained (opens in new tab). “For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.”
In a detailed blog post, Microsoft continued by explaining that the DLL backdoor allows attackers to deliver second-stage payloads. Altogether, the technology giant has highlighted several malware strains affecting the SolarWinds platform.
The SolarWinds attack caused huge headlines when it broke last week (opens in new tab), with high-level US Government agencies among those affected. US Secretary of State Mike Pompeo has recently (opens in new tab) come out in support of accusations blaming Russia for the cyberattack.
Fortunately, Microsoft Defender has been equipped to block the malicious SolarWinds DLL. The antivirus program will also isolate associated malware, even if the process is still running.
- Here's our list of the best patch management (opens in new tab) software right now