FireEye recently unveiled an extensive offensive operation in which attackers suspected of being state-run attacked a Trojan dubbed Sunburst (FireEye) and Solorigate (Microsoft) into the popular SolarWinds Orion enterprise software. Behind Sunburst is believed to be a group of hackers known as the APT 29 and Cozy Bear, suspected of being linked to the Russian intelligence service. The attack itself began as early as last spring, although it has only just survived.

Now Microsoft has outlined what it will do to counter the attack. The company said it manually removed the digital certificates used by the Trojan-infected files as soon as the attack came to light. In practice, this means that no Windows configuration agrees to run these files because it sees them as untrusted.

In addition, Microsoft updated Windows Defender to detect and alert users of a used Trojan. On Wednesday, however, the company decided to change the standard functionality of Windows Defender for Solorigate from mere warning to automatic quarantine. Automatically quarantining infected files is effective, but at the same time it can also cause a system crash, for example.

In addition, Microsoft and its partners have isolated the so-called avsvmcloud.com site used by the attackers. with sinkhole tactics. Sinkhole refers to the way in which a server is isolated by means of DNS servers from the rest of the Internet to direct traffic destined for them elsewhere. As a result, the malware loses the ability to communicate with its host server and is left without instructions

.Sources: FireEye, GeekWire