Microsoft posts deep dive on Solarwinds attack, finds extreme skill and sophistication

Home » security

Reading time icon 2 min. read

Calendar icon Published on

by Surur Davids 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

solorigate

Microsoft has posted another update on the Solarwinds attack which infected 18,000 companies last year, including Microsoft’s network.

This time their post is a deep dive on how the attackers worked to evade detection and spread silently through company networks.

Microsoft notes:

Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files.

Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims.

The attackers were not only very diligent but also patient. One of the ways they avoided detection, for example, was to first enumerated remote processes and services running on the target machine. They then disabled specific security services by editing the registry of the target machine to disable autostarting of security processes. The hackers then waited for machines to be rebooted during the normal course of events before attacking.

Some elements were mundane, but still genius, for example only attacking systems during business hours, so normal activity would obscure theirs.

“The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary,” Microsoft noted.

Read Microsoft’s full and detailed report, which also includes advice on protecting your network from similar attacks, here.

via The Register

More about the topics: security, solarwinds, soligate

Surur Davids

Surur Davids Shield

Smartphone Expert

Surur Davids is the founder of WMPoweruser which later became MSPoweruser.com. He's a smartphone expert with over a decade of experience.