Microsoft has been monitoring a sophisticated attack involving compromised 3rd-party software, including an intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. For further details, please refer to the SolarWinds advisory and the FireEye advisory.
Additionally, FireEye Red Team tools were recently stolen from the company. For further details, please refer to the FireEye blog post.
To help Azure Defender for IoT detect these latest threats, we strongly recommend deployment of the attached threat intelligence (TI) package as soon as possible (dated 2020-12-15).
To deploy the TI, please follow the following instructions.
Please note that your sensor version must be 2.8.10 and up:
To log in to Support.microsoft.com customers will be prompted to enter any valid Microsoft Account (MSA) or Office 365 account. (An MSA is an Outlook/Hotmail account, or any email linked to a Microsoft account. Customers can create or configure an MSA from https://account.microsoft.com/account)
During the first login, customers will be prompted to verify details to be registered in the Microsoft Services hub portal
Select the category, problem, enter additional informationand submit your ticket. Upload any attachments (optional)
Microsoft has also published updates to Microsoft Defender to help block related attacks, and to Azure Sentinel that provide additional signals for post-compromise techniques observed in these intrusions. For more details, please see the Microsoft blog post titled “Customer Guidance on Recent Nation-State Cyber Attacks.”
It is our goal to continue to provide world-class support to our customers as part of the broader security ecosystem. This situation is evolving, so we will provide updates as they become available.