Microsoft is joining the fight against the malware distributed through a compromised SolarWinds patch by quarantining compromised Orion binaries, the company has confirmed.
SolarWinds was breached in early December, most likely through stolen Office 365 credentials. Allegedly, Russian state-sponsored hackers used access to SolarWinds to add malicious code to the next patch of its IT management tool Orion.
The patch was then downloaded by approximately 18,000 businesses, including various US government agencies. The compromised patch triggered the download of a malware dubbed Solorigate / SUNBURST.
Given the scale of the attack and the high-profile nature of the targets, it has been described as one of the most devastating attacks of the year.
SolarWinds has promised a patch that will remove all traces of the malware from the affected systems, but Microsoft is also taking steps to prevent further damage.
The firm's cybersecurity tool Defender is already capable of detecting and quarantining the malware, but it will now block off the compromised SolarWinds binaries as well.
"It is important to understand that these binaries represent a significant threat to customer environments. Customers should consider any device with the binary as compromised and should already be investigating devices with this alert. Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running,” the company explained.