{"id":92397,"date":"2020-12-15T13:00:36","date_gmt":"2020-12-15T21:00:36","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92397"},"modified":"2023-10-13T09:04:37","modified_gmt":"2023-10-13T16:04:37","slug":"ensuring-customers-are-protected-from-solorigate","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/12\/15\/ensuring-customers-are-protected-from-solorigate\/","title":{"rendered":"Ensuring customers are protected from Solorigate"},"content":{"rendered":"

UPDATE:<\/b> Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM<\/a>. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.<\/p><\/blockquote>\n

Microsoft is monitoring a dynamic threat environment surrounding the discovery of a sophisticated attack that included compromised binaries from a legitimate software<\/a>. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices. We have established a resource center that is constantly updated as more information becomes available at https:\/\/aka.ms\/solorigate<\/a>.<\/p>\n

On Sunday, December 13, Microsoft released detections that alerted customers to the presence of these malicious binaries, with the recommendation to isolate and investigate the devices.\u00a0It is important to understand that these binaries represent a significant threat to customer environments. Customers should consider any device with the binary as compromised and should already be investigating devices with this alert.<\/p>\n

Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices:<\/p>\n

    \n
  1. Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.<\/li>\n
  2. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.<\/li>\n
  3. Investigate how the affected endpoint might have been compromised.<\/li>\n
  4. Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.<\/li>\n<\/ol>\n

    If service interruption is not possible, customers must take the action below to exclude SolarWinds binaries. This should be a temporary change that you should revert as soon as you update binaries from the provider or complete your investigation.<\/p>\n

     <\/p>\n

    For Microsoft Defender Antivirus via GPO Instructions: <\/a><\/strong><\/p>\n

    PATH: Computer Configuration<\/strong> > Administrative Templates<\/strong> > Windows Components<\/strong> > Microsoft Defender Antivirus<\/strong> (or Windows Defender Antivirus) > Threats<\/strong> > Specify threats upon which default action should not be taken when detected<\/strong>.<\/p>\n

    Value name: 2147771206<\/em><\/p>\n

    Value: 6<\/em><\/p>\n

    \u00a0<\/strong><\/p>\n

    For SCEP via GPO instructions:<\/strong><\/p>\n

    PATH: Computer Configuration<\/strong> > Administrative Templates<\/strong> > Windows Components<\/strong> > Endpoint Protection<\/strong> > Threats<\/strong> > Specify threats upon which default action should not be taken when detected<\/strong>.<\/p>\n

    Value name: 2147771206<\/em><\/p>\n

    Value: 6<\/em><\/p>\n

    Note: If you don\u2019t see the \u201cEndpoint Protection\u201d section, see: Manage Endpoint Protection using Group Policies – Configuration Manager | Microsoft Docs<\/a><\/p>\n

     <\/p>\n

    For Microsoft Defender Antivirus and SCEP via SCCM Instructions:<\/strong><\/a><\/p>\n

    PATH: Assets and Compliance, Endpoint Protection<\/strong> > Antimalware Policies<\/strong> > Threat overrides<\/strong> > Enter Threat name<\/strong>: Trojan:MSIL\/Solorigate.BR!dha<\/em><\/p>\n

    PATH: Assets and Compliance, Endpoint Protection<\/strong> > Antimalware Policies<\/strong> > <Select relevant policy> > Threat overrides<\/strong> > Enter Threat name<\/strong>: Trojan:MSIL\/Solorigate.BR!dha<\/em><\/p>\n

    Override action<\/strong>: Allow<\/em><\/p>\n

    \u00a0<\/strong><\/p>\n

    For MDAV via MEM using PowerShell Instructions<\/strong><\/a>:<\/strong><\/p>\n

      \n
    1. \u00a0Create a PowerShell script with the following content:<\/li>\n<\/ol>\n

      Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6<\/em><\/p>\n

        \n
      1. Name the script as follows: Allow_SolarWinds.ps1<\/em><\/li>\n
      2. Save it to a temporary location, such as C:\\Temp<\/em>.<\/li>\n
      3. Go to https:\/\/endpoint.microsoft.com<\/a> and sign in.<\/li>\n
      4. Browse to Devices<\/strong> > Windows<\/strong> > PowerShell scripts<\/strong>.<\/li>\n
      5. Select +Add<\/strong>, and then specify the following settings:<\/li>\n<\/ol>\n

        Name: Allow SolarWinds temporarily<\/em><\/p>\n

        Description: Allow SolarWinds temporarily while patching<\/em><\/p>\n

          \n
        1. Select Next<\/strong>, and then browse to where you saved the PowerShell script (for example, C:\\Temp\\Allow_SolarWinds.ps1<\/em>).<\/li>\n
        2. Run the script using the following settings:<\/li>\n<\/ol>\n

          Run this script using the logged on credentials: No<\/em><\/p>\n

          Enforce script signature check: No<\/em><\/p>\n

          Run script in 64-bit PowerShell Host: Yes<\/em><\/p>\n

            \n
          1. Select Next<\/strong>.<\/li>\n
          2. For Scope tag, use <default><\/em>.<\/li>\n
          3. Select Next<\/strong>.<\/li>\n
          4. For assignment, choose Select groups to include<\/strong>, and then select the security group that has your Windows 10 devices.<\/li>\n
          5. Choose Select<\/strong>, and then choose Next<\/strong>.<\/li>\n
          6. Review your settings, and then select Add<\/strong>.<\/li>\n<\/ol>\n

            Note: For MEM (Intune) PowerShell script troubleshooting, review: C:\\ProgramData\\Microsoft Intune Management Extension\\Logs\\IntuneManagementExtension.log<\/em><\/p>\n

             <\/p>\n

            For manual Microsoft Defender Antivirus via PowerShell Instructions<\/strong><\/a>:<\/strong><\/p>\n

            Launch PowerShell as Admin<\/p>\n

            Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6<\/em><\/p>\n

            For manual SCEP via PowerShell Instructions:<\/strong><\/p>\n

            Launch PowerShell as Admin<\/p>\n

            Import-Module \u201c$env:ProgramFiles\\Microsoft Security Client\\MpProvider\\MpProvider.psd1\u201d<\/em><\/p>\n

            Set-MProtPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6<\/em><\/p>\n

             <\/p>\n

            For Automatic remediation exclusions<\/strong><\/a>:<\/strong><\/p>\n

            Go to Settings<\/strong> > Indicators<\/strong> >\u00a0 File Hashes<\/strong>, and add the specific file hashes for the affected DLLs, select response action as Allow and Save<\/strong>.<\/p>\n

             <\/p>\n

            Alternate exclusion option by path<\/a>:<\/strong><\/p>\n

            C:\\Program Files (x86)\\SolarWinds\\Orion\\<\/em><\/p>\n

            \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 OR<\/p>\n

            <solar_windows_custom_install_location>\\Orion\\<\/em><\/p>\n

            Note: If you configure exclusions based on folder location<\/a>, make sure you remove this exclusion AS SOON AS POSSIBLE after you get remediated binaries from the vendor. Otherwise, you are leaving a place on your devices for future attacks.<\/p>\n

             <\/p>\n

            Note for Microsoft Defender Antivirus in passive mode:<\/strong><\/p>\n