Solorigate

Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the attackers to breach government agencies and high-profile companies by exploiting misconfigurations in Microsoft's Active Directory Federation Services among other methods for espionage purposes. The complex attack chain involved a handover from the Solorigate DLL backdoor to the Cobalt Strike loader, a component yet to be fully understood. Microsoft has published multiple reports detailing the activity related to this attack campaign, including an analysis of the compromised DLL file that initiated the cyberattack. In addition, Microsoft has provided guidance for their customers on protecting themselves against such attacks. Advanced Hunting Queries (AHQ) related to Solorigate were made available in Microsoft's AHQ repository on GitHub to help locate possible exploitation activity. Recommendations for hardening networks against Solorigate and similar sophisticated cyberattacks have also been outlined. The disclosure of the Solorigate attack led to extensive investigations, providing more details and intelligence that were used to improve existing detections and build new ones. Security operations teams can refer to Microsoft's comprehensive guide on detecting and investigating Solorigate. Alerts were raised by Microsoft Defender for Endpoint on Solorigate-related malicious activity as early as June 2020. Forensic analysis of known cases with malicious activity occurring between May and November 2020 revealed relevant alerts generated by Microsoft Defender for Endpoint and Microsoft Defender for Identity.