Microsoft has announced that will start blocking and isolating certain versions of SolarWinds, the app that was compromised as part of a high-profile cyberattack earlier this week. The decision should provide businesses with an additional layer of protection while they put more long-term patch management solutions in place.
“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” a Microsoft security blog explained.
“This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices.”
SolarWinds recently confirmed that versions 2019.4 through 2020.2.1 of its Orion app were infected with malware. Although security platforms quickly added detection rules for the malware, these only triggered alerts.
An ill wind
If it is not been feasible for some organizations to remove the SolarWinds platform from service, Microsoft has advised customers to exclude software binaries, providing instructions for how to do so. They have also said that this exclusion should be temporary and reverted once binaries have been updated.
In light of the SolarWinds malware infection, two US Government agencies confirmed that they had been hit by a cyberattack. The US treasury and commerce departments said that the attacks were likely to be state-sponsored, with most of the evidence pointing in Russia’s direction.
As per usual, however, Russia responded by dismissing the accusations as “baseless.” Regardless of who’s responsible, the SolarWinds malware is certainly proving damaging, with an estimated 18,000 customers infected.