Microsoft has become entangled in investigations surrounding the recently revealed colossal US government hack, with media and corporate messages targeting Office 365, Azure Active Directory and a major domain name.
Two major victims of a nation-state’s massive hacking campaign were reportedly compromised on their Microsoft Office 365 accounts. The Russian intelligence hackers monitored staff emails sent via Office 365 to the Ministry of Commerce’s National Telecommunications and Information Administration (NTIA) after breaking into NTIA office software, Reuters reported. Sunday.
The hackers are “highly sophisticated” and, according to Reuters, were able to trick Microsoft platform authentication checks, citing a person familiar with the incident. The Department of Commerce said one of its desks had been breached, but did not respond to a question about Office 365’s role in the attack.
[Related: US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach]
Microsoft has not officially responded to questions from CRN about whether the company itself was breached as part of this campaign and how important Microsoft’s technology was in hackers’ ability to exploit customers. Microsoft said in a blog post on Sunday that its research has not identified vulnerabilities in Microsoft products or cloud services. Once an attacker has compromised a target network, they may have access to a range of systems, according to a source familiar with the situation. “
On Monday, SolarWinds said it had been made aware of an attack vector used to compromise the company’s Microsoft Office 365 emails, according to a filing with the U.S. Securities and Exchange Commission (SEC). Hackers had gained access to numerous public and private organizations through trojan updates to SolarWinds’ Orion network monitoring software, FireEye said in a blog post Sunday.
That same attack vector may have allowed access to other data in SolarWinds’ Office 365 office productivity tool, the company said. SolarWinds said it is investigating at Microsoft whether a customer, staff, or other data has been exfiltrated as a result of this compromise, but has found no evidence of exfiltration at this time.
“SolarWinds, in partnership with Microsoft, has taken remedial action to address the compromise and is investigating whether further remedial action is needed, the period during which this compromise existed and whether the compromise is related to the attack on its Orion software build system,” the company in its SEC filing.
As for Azure, the hackers were able to forge a token claiming to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog post Sunday. The hackers can also get Azure AD administrator rights with compromised credentials. Microsoft said this was especially likely if the account in question is not protected by multi-factor authentication.
“After gaining a significant foothold in the on-premise environment, the actor made changes to Azure Active Directory settings to facilitate long-term access,” wrote the Microsoft Security Research Center.
The hackers were observed adding new federated trusts to an existing tenant or changing the properties of an existing federated trust to accept tokens signed with certificates owned by hackers, Microsoft said. They could also use their administrator rights to grant additional permissions to the target application or service principal, according to Microsoft.
Microsoft also noted that the hackers added password credentials or x509 certificates to legitimate processes, allowing them to read email content from Exchange Online through Microsoft Graph or Outlook REST. Examples include email archiving applications, the company said. Permissions usually, but not always, consider only the app identity and not the permissions of the current user.
And from a domain perspective, Microsoft took control of a key domain name used by the SolarWinds hackers on Monday to communicate with systems compromised by the backdoor of Orion product updates, KrebsOnSecurity reported Tuesday. Microsoft has a long history of taking control of domains involved in malware, especially when those sites are used to attack Windows clients.
Armed with that access, KrebsOnSecurity said Microsoft should soon have an idea of which and how many SolarWinds customers were affected. That’s because Microsoft now has insight into which organizations have IT systems that are still trying to ping the malicious domain, KrebsOnSecurity said.
“However, because many Internet service providers and affected companies are already blocking systems from accessing that malicious control domain or have disconnected the vulnerable Orion services, Microsoft’s visibility may be somewhat limited,” warned KrebsOnSecurity.
The sinkhole is part of the protective work Microsoft is doing in partnership with industry partners, according to a source familiar with the situation. In a reply to a Krebs tweetMicrosoft spokesperson Jeff Jones wrote, “A global village is needed in cybersecurity … thanks to everyone who does their part!”
FireEye declined to comment, while GoDaddy – the current domain registrar for the malware control servers – told CRN in a statement that it was working closely with FireEye, Microsoft, and others to keep the Internet safe. GoDaddy said it is unable to provide more details due to an ongoing investigation and the customer’s privacy policy.