8 comments

[ 67.6 ms ] story [ 261 ms ] thread
Microsoft removed SolarWinds' certificates (since the attackers compromised their build servers), Windows Defender is quarantining the malware, and they were able to take possession over the domain that the malware authors were using to issue commands.

Those are all positive actions, and the OS certificate store and antivirus actions are security responses I would expect out of those respective products, but the article uses... unnecessarily flowery language to describe Microsoft as the savior of the software universe: (emphasis mine)

> This week Microsoft took a series of dramatic steps against the recent SolarWinds supply chain attack.

> The speed, scope and scale of Microsoft’s response were unprecedented

> Through four steps over four days, Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there.

I guess I don't know much about Geek Wire but the article seems a little over the top.

> Christopher Budd is an independent consultant focusing on communications in the areas of online security and privacy, incident response, and crisis communications. Among many roles in the industry he was a ten-year veteran of the Microsoft Security Response Center (MSRC)

Hm.

Yeah, these seem like pretty normal responses.

The tone made it sound like Microsoft had traced their IP and then launched a cruise missile at their location.

They built a UI in Visual Basic to track their IP!

Remember that is the level most people are familiar with.

(comment deleted)
How is it possible that the trojan was able to use MS file certificates for it's own files? Isn't it that certificate works only for the original file?
MS was basically the CA. It was SolarWind's signing key that was compromised via an on-prem attack. This article is somewhat over the top, it looks like what Microsoft actually did was just revoke the cert.
No, they've had the functional equivalent of Mac Gatekeeper up since late windows 8 days called SmartScreen. They redlist the code signer cert there and it will flag the install process to the user. They've probably just done an OCSP revoke of that public key.
Good thing I updated my employers systems yesterday. Love the Death Star metaphor!