Microsoft says its systems weren’t used to compromise different companies on the subject of the SolarWinds Solorigate/Sunburst provide chain hack and associated incidents.
“We have found no indications that our systems were used to attack others,” the firm stated in a weblog final Thursday attributed to the Microsoft safety group. “Data hosted in Microsoft services (including email) were sometimes a post-compromise target of attack, but only after an attacker had gained privileged credentials in some other way.
“We’ve investigated each situation as we became aware of it and in each case, data hosted in Microsoft services (including email) were a target in the incident, but the attacker had gained privileged credentials in another way.”
In the Q&A mode weblog, the query was requested if Microsoft was an preliminary entry point for the Solorigate risk actor. The reply was “no.”
“In our investigations to date, data hosted in Microsoft services (including email) was sometimes a target in the incidents, but the attacker had gained privileged credentials in some other way,” the weblog learn. “From the beginning, we have said that we believe this is a sophisticated actor that has many tools in its toolkit, so it is not a surprise that a sophisticated actor would also use other methods to gain access to targets. In our investigations and through collaboration with our industry peers, we have confirmed several additional compromise techniques leveraged by the actor, including password spraying, spearphishing, use of webshell, through a web server, and delegated credentials.
In the SolarWinds incident attackers were able to compromise some updates last spring to the company’s Orion network management platform. That has raised questions about how the attackers initially got into SolarWinds’ environment. There were also reports that the same threat group that hit SolarWinds –dubbed UNC2452 by FireEye — also broke into other firms.
Microsoft’s possible role in Solorigate was in part raised by a statement SolarWinds put in a document to financial regulators which said “SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the company’s emails and may have provided access to other data contained in the Company’s office productivity tools.”
In response, the weblog says that “we have investigated thoroughly and have found no evidence they were attacked via Office 365. The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation.”
It notes that in a column earlier this week, SolarWinds CEO Sudhakar Ramakrishna stated that “we’re pursuing numerous theories but currently believe the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability.
“While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365. We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”
UPDATE: Ramakrishna instructed the Wall Street Journal that attackers had entry to at the very least one SolarWinds worker’s e-mail account way back to December 2019. That led to the compromise of different accounts. According to a chronology, in September 2019, the attackers (dubbed UNC2452 by FireEye and Dark Halo by Volexity) began accessing the SolarWinds infrastructure and injecting take a look at code into Orion builds.
Would you suggest this text?
We’d love to listen to your opinion about this or another story you learn in our publication. Click this hyperlink to ship me a observe →
Jim Love, Chief Content Officer, IT World Canada
Cybersecurity Conversations together with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA