SolarWinds Hackers Gain Access To Microsoft’s Source Code
One Microsoft account compromised by suspected Russian hackers had been used to view source code in a number of source code repositories, but none of the code itself was altered, Microsoft disclosed Thursday.
Microsoft admitted Thursday that the suspected Russian government hackers’ presence in its environment went beyond the software giant simply downloading malicious SolarWinds Orion code.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the Microsoft Security Response Center wrote in a blog post Thursday.
The compromised Microsoft account didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, according to the company. Microsoft said it investigated and remediated the internal accounts with unusual activity.
[Related: CrowdStrike Fends Off Attack Attempted By SolarWinds Hackers]
Microsoft didn’t indicate what type of source code was accessed. The company’s stock was up $0.74 (0.33 percent) in trading Thursday to $222.42 per share.
“We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft wrote in its blog post. “So viewing source code isn’t tied to elevation of risk.”
Microsoft’s disclosure comes a week after CrowdStrike said hackers believed to be with the Russian foreign intelligence service unsuccessfully attempted to hack the endpoint security firm via a Microsoft reseller’s Azure account. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email, CrowdStrike said.
Microsoft told CRN Dec. 24 that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. The abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft said at the time that sources for the Reuters report are “misinformed or misinterpreting their information,” but acknowledged the software giant had “detected malicious SolarWinds binaries” in its environment.
Microsoft reaffirmed Thursday that it’s found no indications that its systems were used to attack others. The company additionally hasn’t found any evidence that the SolarWinds hackers gained access to Microsoft’s production services or customer data.
Then on Dec. 21, The New York Times reported that the SolarWinds hackers had seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership. The hackers performed a complex step inside Microsoft Office 365 to create an encrypted “token” that tricked the Treasury’s system into thinking the hackers were legitimate users, The New York Times said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Dec. 17 it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.
One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.
Microsoft, however, said Thursday that it hasn’t any found any evidence that the SolarWinds hackers abused forged SAML tokens against the company’s own corporate domains. All malicious SolarWinds applications in Microsoft’s environments have been isolated and removed, according to the company.
“This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor,” Microsoft wrote in its blog.