SolarWinds Hackers Kept Going After Microsoft Until January
The SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised.
The likely Russian hackers first viewed a file in a
Microsoft source repository in late November, and the Redmond, Wash.-based
software giant detected unusual activity in some internal accounts the next
month. The hackers lost source repository access after Microsoft secured its
compromised accounts, but the threat actor kept making unsuccessful attempts to
regain access all the way until early January.
“A concerning aspect of this attack is that security
companies were a clear target,” Vasu Jakkal, Microsoft’s corporate vice
president of security, compliance and identity, wrote in a blog post Thursday.
“Microsoft, given the expansive use of our productivity tools and leadership in
security, of course was an early target.”
Microsoft admitted the SolarWinds hackers were able to
download some source code for its Azure, Exchange and Intune cloud-based
products. The downloaded Azure source code was for subsets of its service,
security and identity components, according to Microsoft.
The search terms used by the SolarWinds hackers indicates
they were attempting to find secrets such as API keys, credentials, and
security tokens that may have been embedded in the source code, according to
Microsoft. But the company said it has a development policy that prohibits
storing secrets in source code and runs automated tools to verify compliance.
Microsoft said it subsequently confirmed that both current
and historical branches of its source code repositories don’t contain any live
production credentials. For nearly all the Microsoft code repositories accessed
by the SolarWinds hackers, only a few individual files were viewed as a result
of a repository search, according to the company.
“The cybersecurity industry has long been aware that
sophisticated and well-funded actors were theoretically capable of advanced
techniques, patience, and operating below the radar, but this incident has
proven that it isn’t just theoretical,” the Microsoft Security Response Center
(MSRC) wrote Thursday in the final update on its internal investigation into
the SolarWinds hack.
Microsoft said the SolarWinds hackers weren’t able to access
its privileged credentials or leverage Security Access Markup Language (SAML)
techniques against the company’s corporate domains. But outside of Microsoft,
U.S. investigators said one of the principal ways the hacker has collected
victim information is by compromising the SAML signing certificate using
escalated Active Directory privileges.
Organizations that delegate trust to on-premises components
in deployments that connect on-premises infrastructure and the cloud end up
with an additional seam they need to secure, the MSRC wrote. As a result, if an
on-premises environment is compromised, Microsoft said there’s an opportunity
for hackers to target cloud services.
“When you rely on on-premises services, like authentication
server, it is up to a customer to protect their identity infrastructure,”
Jakkal wrote in her blog post. “With a cloud identity, like Azure Active
Directory, we protect the identity infrastructure from the cloud.”
At the same time, Jakkal said the SolarWinds hackers took
advantage of abandoned app accounts with no multi-factor authentication to
access cloud administrative settings with high privilege. As organizations
transition from implicit trust to explicit verification, Jakkal said they first
must focus on protecting identities, especially privileged user accounts.
“Gaps in protecting identities (or user credentials) like
weak passwords or lack of multifactor authentication are opportunities for an
actor to find their way into a system, elevate their status, and move laterally
across the environments targeting email, source code, critical databases and
more,” Jakkal said.
The SolarWinds hackers tried and failed to get into
CrowdStrike and read their emails via a Microsoft reseller’s Azure account that
was responsible for managing CrowdStrike’s Microsoft Office licenses. If a
customer buys a cloud service from a reseller and allows the reseller to retain
administrative access, then a compromise of reseller credentials would grant
access to the customer’s tenant, Microsoft said.
Comments
Post a Comment