SAN FRANCISCO (Reuters) – Microsoft Corp’s failure to fix known issues with its cloud software has enabled the massive SolarWinds hack that has compromised at least nine federal government agencies, according to security experts and US Senator Ron Wyden’s office.
A vulnerability first disclosed by researchers in 2017 allows hackers to forge the identity of authorized employees in order to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
Wyden, who, as a member of the Senate Intelligence Committee, accused tech companies of security and privacy concerns, condemned Microsoft for not doing more to prevent false identities or warn customers about it.
“The federal government is spending billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing in the House of Representatives on Friday.
“We have to be careful about spending more before we find out why the company didn’t warn the government about the hacking technique the Russians were using that Microsoft had known about since at least 2017,” he said.
Microsoft president Brad Smith will testify Friday before the House committee investigates the SolarWinds hacks.
US officials have blamed Russia for the massive intelligence operation that has penetrated SolarWinds, which creates software to manage networks, as well as Microsoft and others, to steal data from multiple governments and about 100 companies. Russia denies responsibility.
Microsoft disputed Wyden’s conclusions, telling Reuters that the design of its identity services was not flawed.
In response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “was not prioritized by the intelligence community as a risk, nor was it being flagged. by civil authorities. “
But in a public opinion following the SolarWinds hack, on Dec. 17, the National Security Agency called for closer scrutiny of identity services, noting, “This SAML forgery technique has been known since 2017 and is being used by cyber actors.”
In response to additional questions from Wyden this week, Microsoft acknowledged that its programs were not designed to detect theft of identity tools for granting cloud access.
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said the failure showed that cloud security risks should be given a higher priority.
Hackers’ sophisticated misuse of identities “exposes a worrisome weakness in the way cloud computing giants invest in security, perhaps not sufficiently risking high impact, low probability failures in systems underlying their security model,” reduce it sufficiently, “said Herr.
In a congressional testimony on Tuesday, Microsoft’s Smith said that only about 15% of the victims in the Solar Winds campaign were injured via Golden SAML. Even in those cases, the hackers had to have access to systems before they could deploy the method.
But Wyden staff said one of those victims was the US Treasury, which lost emails from dozens of officials.
Reporting by Joseph Menn; edited by Jonathan Weber and Howard Goller