The SolarWinds hackers followed attempts to take over Microsoft in early January, sustaining the attack even after Microsoft revealed that its source code had been compromised.
The Russian hackers first saw what looked like a file in a Microsoft store in late November, and the software giant Redmond, based on Wash. Unusual activity in some accounts within the next month. The hackers lost access to repository after Microsoft acquired its compromise accounts, but the actor continued to threaten unsuccessful attempts to regain access all the way until early January.
“A worrying side of this attack was that security companies were a clear target,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Microsoft, with the widespread use of our production tools and leadership in security, was certainly an early target.”
[Related: Microsoft: No Evidence SolarWinds Was Hacked Via Office 365]
Microsoft acknowledged that the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
The search terms used by the SolarWinds hackers reveal that they were trying to find secrets such as API keys, certificates, and security tokens that may be rooted in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing confidentiality in source code and running automated tools to verify compliance.
Microsoft said it later confirmed that production credentials do not exist in the standard and historical branches of the source code repositories. For almost every Microsoft code source acquired by the SolarWinds hackers, only a few individual files were seen as a result of an investment survey, according to the company.
“The cybersecurity industry has long recognized that solemn and theoretically funded actors have the ability to develop advanced methods, patience, and working under the radar, but this event has proven that it is not just theoretical. , ”Microsoft’s Security Response Center (MSRC wrote) said Thursday in the latest update of its internal investigation into the SolarWinds hack.
Microsoft said the SolarWinds hackers were unable to access their privilege credentials or benefit from Markup Security Access Language (SAML) methods against the company’s corporate domains. But outside of Microsoft, U.S. investigators said one of the main ways in which the hacker has collected victim information is by deleting a SAML signing certificate using Active Launch privileges. Directory.
Organizations that devolve trust to components on buildings have written in use that connect infrastructure to buildings and the cloud with an additional seam they need to secure, the MSRC wrote. As a result, if the built-in environment is compromised, Microsoft said there is an opportunity for hackers to target cloud services.
“When you rely on real estate services, as a verification server, it is up to a customer to protect their identity infrastructure,” Jakkal wrote in her blog post. “With cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud.”
At the same time, Jakkal said that the SolarWinds hackers were exploiting abandoned app accounts without multi-factor authentication to gain access to high-security cloud management settings. As organizations move from clear trust to specific authentication, Jakkal said they must first focus on identity protection, especially welfare user accounts.
“Gaps in identity protection (or user credentials) such as weak passwords or a lack of multitasking authentication are opportunities for an actor to access a system, enhance their status, and move to side-by-side across email-focused environments, source code, critical databases and more, ”said Jakkal.
The hackers tried and failed SolarWinds to gain access to CrowdStrike and read their emails through Microsoft’s resale Azure account which was responsible for managing Microsoft Office licenses at CrowdStrike. If a customer buys a cloud service from resale and allows the vendor to maintain administrative access, then the negotiation of resale credentials would allow the customer’s subscriber, Microsoft said.
But misuse of administrative access would not be a compromise of Microsoft services themselves, the company told CRN on Dec. 24.