WASHINGTON: Suspicious Russian hackers behind the worst U.S. cyber attack in years allowed a reseller on Microsoft services to gain access to targets that lacked network software from SolarWinds, analysts said .
While updates to SolarWinds’ Orion software were the only previously known entry point, security firm CrowdStrike said Thursday that hackers had Thursday accessed the vendor who sold it Office licenses and used them to try to read CrowdStrike email.
He did not specifically identify the hackers as the ones who threatened SolarWinds, but two people familiar with the CrowdStrike investigation said they were.
CrowdStrike uses Office programs for word processing but not e-mail. The failed attempt, made months ago, was taken to CrowdStrike by Microsoft on December 15th.
CrowdStrike, which does not use SolarWinds, said it found no impact from the harassment attempt and declined to name the vendor.
“They got in through the seller’s reach and tried to enable‘ read ’benefits of mail,” one of the people familiar with the investigation told Reuters. “If it had been using Office 365 for email, it would have been a game over.”
Many Microsoft software licenses are sold through third parties, and these companies can gain close access to client systems as customers add products or employees.
Microsoft said Thursday that these messages need to be vigilant.
“Our review of recent attacks has found incidents involving the misuse of credentials to gain access, which can come in a variety of forms,” said Microsoft chief executive Jeff Jones. “We have not identified any vulnerabilities or compromises of Microsoft’s product or cloud products.”
The reseller’s use of Microsoft to try to break into a major digital defense company raises new questions about how many hackers have a path, say U.S. officials working on behalf of the Russian government .
The well-known victims so far include CrowdStrike FireEye security competitor and U.S. Department of Defense, State, Commerce, Department of Finance and Homeland Security. Other major companies, including Microsoft and Cisco Systems, said they found SolarWinds corrupted software internally but found no signs that the hackers were using it to hack a wide range of their networks. .
The SolarWinds logo can be seen outside its headquarters in Austin, Texas, on December 18, 2020. (Photo: REUTERS / Sergio Flores)
So far, Texas-based SolarWinds has been the only channel that has been publicly confirmed for its first hack, although officials have been warning for days that the hackers had other ways .
Reuters reported a week ago that Microsoft results have been used in attacks. But federal officials said they had not seen him as a first vector, and the software giant said its systems had not been used in the campaign.
Microsoft then said that their customers should remain vigilant. At the end of Tuesday’s long, technical blog post, he used one phrase to refer to seeing hackers access Microsoft 365 Cloud “from trusted vendor accounts where the attacker had damaged the vendor’s environment.”
Microsoft wants retailers to have access to messaging systems to add products and allow new users. But finding out which vendors still have access rights at a particular time is so difficult that CrowdStrike developed and released a search engine to do just that.
LEARN: ‘What’s the alternative?’ SolarWinds strengthens the core lines of security companies
After a series of other breaches through cloud providers, including a large set of attacks on Chinese government-backed spies known as CloudHopper, Microsoft this year imposed new controls on its providers. their replacements, including requirements for multitasking authentication.
The Cybersecurity and Infrastructure Security Agency and the National Security Agency did not immediately comment.
Also Thursday, SolarWinds released an update to fix the vulnerabilities in Orion’s famous network management software after it discovered a second set of hackers that had targeted the company’s products.
That followed a separate Microsoft blog post on Friday saying that its SolarWinds software was targeted by a second group of unrelated hackers in addition to those linked to Russia.
It is not clear who the second set of hackers is, or the extent to which they have successfully hacked anywhere.
Russia has denied any involvement in the slowdown.