Published on the 23/02/2021 | Written by Heather Wright
Microsoft: Nothing to see here folks, move along…
Microsoft has admitted that source code for some Azure, Exchange and Intune components – including Azure subsets of service, security and identity – were accessed during the December SolarWinds attacks, but says there’s no indication the breach allowed customers to be hacked.
The company’s formal investigation into the breach notes the hackers read and downloaded some source code, but says there was no evidence of access to either production servers or customer data.
“The investigation also found no indications that our systems at Microsoft were used to attack others.”
“The investigation also found no indications that our systems at Microsoft were used to attack others,” Microsoft’s formal investigation final report says.
The tech giant says there was no case where all repositories relating to a single product or service were accessed.
They did, however, find signs that the hackers were able to inspect – and download – ‘a small subset’ of code repositories its Azure cloud identity and security programs, along with code for Exchange and Intune mobile management.
The company had previously admitted that some source code had been accessed, but hadn’t said which parts, or that they had been copied.
The December supply chain attacks, which Microsoft president Brad Smith has called ‘the largest and most sophisticated attack the world has ever seen’ compromised the Orion network-management software from SolarWinds. Around 18,000 SolarWinds customers installed the affected update, enabling hackers to gain access to thousands of companies and government offices, including the US Treasury and Department of Justice. US intelligence services have pointed the finger at Russia, saying they believed it was an attempt to collect intelligence. Russia, for its part, has denied any involvement.
Last week the White House’s top cybersecurity advisory, deputy national security adviser Anne Neuberger, said nine federal agencies and about 100 private sector companies were compromised in the December supply chain attacks.
“As you know, roughly 18,000 entities downloaded the malicious update. So the scale of potential access far exceeded the number of known compromises,” Neuberger says. “Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions.
“The techniques that were used lead us to believe that any files or emails on a compromised network were likely to be compromised,” she says.
After initially denying reports that it had been compromised in the attacks, Microsoft finally admitted it been affected by the attack, and on December 31 fessed up that hackers had gained access to some of its source code – the foundation of software and, as such, generally regarded as the family jewels and a tightly guarded secret.
The company’s formal investigation into the breach says the first viewing of files in a source repository was in late November ‘and ended when we secured the affected account’ – presumably after the company ‘detected unusual activity’ December and ‘took action to secure our systems’.
The breach became public on December 9 (A/NZ time), when an undoubtedly red faced FireEye announced that ‘a highly sophisticated state-sponsored adversary’ had stolen the tools used by the security company’s Red Team – the security team tasked with mimicking attacks or exploitation capabilities to improve enterprise cybersecurity by demonstrating weaknesses and the impacts of attacks.
Days later FireEye chief executive Kevin Mandia flagged that the compromise had been executed via the Orion network monitoring offering.
The Microsoft report says no access was gained to privileged credentials and the hackers weren’t able to leverage security assertion markup language (SAML) against Microsoft’s corporate domains.
“For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search,” Microsoft says.
“For a small number of repositories, there was additional access, including in some cases, downloading component source code. These repositories contained code for: A small subset of Azure components (subsets of service, security, identity), a small subset of Intune components, a small subset of Exchange components.”
Microsoft says the search terms used by the actor indicate ‘the expected focus on attempting to find secrets’.
“Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.”
Even after cutting off access, Microsoft’s Security Response Centre team says it continued to see unsuccessful attempts at access into early January.
As to the lessons learned from the attack, Microsoft says the investigation has shown it is essential to assume a ‘zero trust’ philosophy of assuming all systems are unsafe, and create security models based on that stance, explicitly verifying the security status of identity, endpoint, network and other resources based on all available signals and data.
It’s also reinforced the need to protect privileged credentials, Microsoft says.