BOSTON (AP) – The sprawling hacking campaign Considered a serious threat to US national security, it became known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks.
Yet it was Microsoft whose code the cyber spies persistently misused in the second phase of the campaign, rummaging through emails and other files from targets as valuable as then-head of Homeland Security Chad Wolf – and hopping unnoticed between victims’ networks.
This has put the world’s third most valuable company on the hot seat. Because its products are de facto monocultured in government and industry – with more than 85% market share – federal lawmakers insist that Microsoft quickly upgrade security to what they say it should have provided in the first place, and without polluting the taxpayer.
To address concerns, Microsoft offered all federal agencies a year of “advanced” security features at no additional cost last week. But it also tries to stave off the blame, saying it’s the customers who don’t always make security a priority.
Risks in Microsoft’s foreign transactions also came to light when the government imposed sanctions on Biden On Thursday, half a dozen Russian IT companies supported the hacking of the Kremlin. The most prominent was Positive Technologies, one of more than 80 companies that provided Microsoft with early access to data on vulnerabilities detected in its products. After announcing the sanctions, Microsoft said Positive Tech was no longer part of the program and removed the name from a list of participants on its website.
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine US government agencies, including the Justice and Treasury Departments, and more. more than 100 private companies and think tanks, including software and telecommunications providers.
The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture – which validates users’ identities and grants them access to email, documents and other data – has done the most dramatic damage, the Atlantic Council’s impartial think tank said in a report. That distinguished the hack as “a widespread intelligence coup”. In nearly all post-intrusion calamities, the intruders “quietly walked through Microsoft products” sucking up emails and files from dozens of organizations. ‘
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders were able to move sideways over them and even jump between organizations. They used it to sneak in the cybersecurity company Malwarebytes and to target Mimecast customers, an email security company.
The ‘hallmark’ of the campaign was the intruders’ ability to impersonate legitimate users and create spoofed credentials that allowed them to retrieve data remotely stored by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security said. Agency, Brandon Wales, at a congressional hearing in mid-March. . “It was all because they compromised those systems that manage trust and identity on networks,” he said.
Microsoft President Brad Smith told a Congressional hearing in February that only 15% of victims had been compromised by an authentication vulnerability first identified in 2017 – allow intruders to pretend to be authorized users by smacking the rough equivalent of fake passports.
Microsoft officials stress that the SolarWinds update was not always the starting point; intruders sometimes exploited vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company is taking security too lightly. Senator Ron Wyden, D-Ore., Verbally beat Microsoft for failing to provide federal agencies with a level of “event logging” that, had it not detected the ongoing SolarWinds hacking, respondents would have at least set a record. from where the intruders were and what they saw and removed.
“Microsoft chooses the default settings in the software it sells, and while the company was aware of the hacking technique used against US government agencies for years, the company has not set default logging settings to capture information necessary for hacking. tracks that are underway, ”said Wyden said. He wasn’t the only federal lawmaker to complain.
When Microsoft announced on Wednesday that it will have a year of free security logging for federal agencies, for which it normally charges a premium, Wyden was not satisfied.
“This move is far from what it takes to make up for Microsoft’s recent failures,” he said in a statement. “The government still can’t access important security features without handing over even more money to the same company that created this cybersecurity hole.”
Representative Jim Langevin, DR.I., had pressured Smith in February to up-sell the security registry, compared to making seat belts and airbags in cars when they should be standard. He praised Microsoft for the one-year delay, but said there is a longer-term conversation about it being “not a profit center.” He said, “We buy a year with this.”
However, even the highest level of logging does not prevent intrusions. It just makes it easier to track them down.
And remember, many security professionals note that Microsoft itself was compromised by the SolarWinds invaders, who gained access to part of the source code – the Crown Jewels. Microsoft’s full suite of security products – and some of the industry’s most skilled cyber defenders – failed to detect the ghost on the network. It was warned of its own breach by FireEye, the cybersecurity company that first discovered the hacking campaign in mid-December.
The intruders in the unrelated Microsoft Exchange email server hack revealed in March – accused of Chinese spies – used completely different methods of infection. But they immediately gained high-level access to users’ email and other information.
Across the industry, Microsoft’s investments in security are widely recognized. It is often the first to identify major cyber threats, its visibility in networks is so great. But many argue that as the leading provider of security solutions for its products, it should be more aware of how much it should benefit from defense.
“The crux of this is that Microsoft is selling you the disease and the cure,” said Marc Maiffret, a cybersecurity veteran who has made a career out of identifying vulnerabilities in Microsoft products and has a new startup in the works called BinMave. .
Last month, Reuters reported that a $ 150 million payment to Microsoft for a “secure cloud platform” was included in a draft outline for spending the $ 650 million allocated to the Cybersecurity and Infrastructure Security Agency in the $ 1.9 pandemic relief effort. trillion from last month.
A Microsoft spokesperson wouldn’t say how much of that money it would get, and referred the question to the cybersecurity agency. An agency spokesman, Scott McConnell, wouldn’t say either. Langevin said he did not think a final decision had been made.
In the fiscal year ended September, the federal government spent more than half a billion dollars on Microsoft software and services.
Many security experts believe that Microsoft’s single sign-on model, which emphasizes user-friendliness over security, is ripe to be redesigned to reflect a world in which state-sponsored hackers now routinely cross. American networks are running.
Alex Weinert, director of identity security at Microsoft, said it offers customers several ways to strictly restrict user access with what they need to do their job. But getting customers to go along can be difficult, because it often means giving up three decades of IT habit and disrupting business operations. Customers tend to configure too many accounts with the broad global admin privileges that enabled exploitation of the SolarWinds campaign, he said. “It’s not the only way they can do it, that’s for sure.”
In 2014-2015, lax access restrictions helped Chinese spies steal sensitive personal information from more than 21 million current, former and prospective federal employees of the Office of Personnel Management.
Curtis Dukes was the head of information assurance for the National Security Agency at the time.
The OPM shared data across multiple instances using Microsoft’s authentication architecture, granting access to more users than should be safe, said Dukes, now the general manager of the nonprofit Center for Internet Security.
“People took their eyes off the ball.”