SolarWinds Vulnerability SCEP 2012 Protection: Behavior:Win32/Solorigate.C!dha

JH 136 Reputation points
2020-12-15T15:45:05.197+00:00

Can Microsoft confirm if SCEP 2012 protects against the SolarWinds hack:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

=====================================================================================================

Mitigation: FireEye has provided two Yara rules to detect TEARDROP available on our GitHub. Defenders should look for the following alerts from FireEye HX: MalwareGuard and WindowsDefender:

Process Information

file_operation_closed
file-path*: “c:\windows\syswow64\netsetupsvc.dll
actor-process:
pid: 17900

Window’s defender Exploit Guard log entries: (Microsoft-Windows-Security-Mitigations/KernelMode event ID 12)

Process”\Device\HarddiskVolume2\Windows\System32\svchost.exe” (PID XXXXX) would have been blocked from loading the non-Microsoft-signed binary
‘\Windows\SysWOW64\NetSetupSvc.dll’

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. JH 136 Reputation points
    2020-12-15T17:10:56.9+00:00

    It finds it, we had it.

    48395-image.png


2 additional answers

Sort by: Most helpful
  1. Youssef Saad 3,401 Reputation points
    2020-12-15T16:24:15.127+00:00

    Hi @JH ,

    Maybe this blog will help you: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/

    Regards,


    Youssef Saad | New blog: https://youssef-saad.blogspot.com
    Please remember to ** “Accept answer” ** for useful answers, thank you!

    0 comments No comments

  2. JH 136 Reputation points
    2020-12-15T16:56:28.647+00:00

    Thanks, but I already have all of that data.

    There is no confirmation if SCEP 2012 protects against this that I have found.

    0 comments No comments