The SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised.
The likely Russian hackers first viewed a file in a Microsoft source repository in late November, and the Redmond, Wash.-based software giant detected unusual activity in some internal accounts the next month. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.
“A concerning aspect of this attack is that security companies were a clear target,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target.”
[Related: Microsoft: No Evidence SolarWinds Was Hacked Via Office 365]
Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.
Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
“The cybersecurity industry has long been aware that sophisticated and well-funded actors were theoretically capable of advanced techniques, patience, and operating below the radar, but this incident has proven that it isn’t just theoretical,” the Microsoft Security Response Center (MSRC) wrote Thursday in the final update on its internal investigation into the SolarWinds hack.
Microsoft said the SolarWinds hackers weren’t able to access its privileged credentials or leverage Security Access Markup Language (SAML) techniques against the company’s corporate domains. But outside of Microsoft, U.S. investigators said one of the principal ways the hacker has collected victim information is by compromising the SAML signing certificate using escalated Active Directory privileges.
Organizations that delegate trust to on-premises components in deployments that connect on-premises infrastructure and the cloud end up with an additional seam they need to secure, the MSRC wrote. As a result, if an on-premises environment is compromised, Microsoft said there’s an opportunity for hackers to target cloud services.
“When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure,” Jakkal wrote in her blog post. “With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud.”
At the same time, Jakkal said the SolarWinds hackers took advantage of abandoned app accounts with no multi-factor authentication to access cloud administrative settings with high privilege. As organizations transition from implicit trust to explicit verification, Jakkal said they first must focus on protecting identities, especially privileged user accounts.
“Gaps in protecting identities (or user credentials) like weak passwords or lack of multifactor authentication are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more,” Jakkal said.
The SolarWinds hackers tried and failed to get into CrowdStrike and read their emails via a Microsoft reseller’s Azure account that was responsible for managing CrowdStrike’s Microsoft Office licenses. If a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant, Microsoft said.
But the abuse of administrative access wouldn’t be a compromise of Microsoft’s services themselves, the company told CRN on Dec. 24.