SAN FRANCISCO (Reuters) – Microsoft Corp’s failure to fix known problems with its cloud software has facilitated the massive SolarWinds hack that has compromised at least nine federal government agencies, according to security experts and U.S. Sen. Ron Wyden’s office.
A vulnerability publicly revealed by researchers for the first time in 2017 allows hackers to falsify the identity of authorized employees in order to access customers’ cloud services. The technique was one of many used in the SolarWinds hack.
Wyden, who accused tech companies of security and privacy issues as a member of the Senate Information Committee, criticized Microsoft for not doing more to prevent counterfeit identities or warn customers about it.
“The federal government is spending billions on Microsoft software,” Wyden told Reuters before hearing SolarWinds in the House of Representatives on Friday.
“We should be careful about spending before we find out why the company did not warn the government about the hacking technique used by the Russians, which Microsoft knew about at least 2017,” he said.
Microsoft President Brad Smith will testify before the House committee investigating SolarWinds hackers on Friday.
U.S. officials have blamed Russia for the massive intelligence operation that broke into SolarWinds, which produces network management software, as well as Microsoft and others, to steal data from several governments and about 100 companies. Russia denies responsibility.
Microsoft has challenged Wyden’s findings, telling Reuters that the design of its identity services was not to blame.
In response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity trick, known as the Golden SAML, “was never used in a real attack” and “was not a priority for to the intelligence community as a risk and was not even marked by civilian agencies. ”
But in a public statement following the SolarWinds hack on December 17, the National Security Agency called for closer monitoring of identity services, stating: “This SAML counterfeiting technique is known and used by cyber actors since at least 2017. ”.
In response to additional questions from Wyden this week, Microsoft acknowledged that its programs were not configured to detect identity theft for cloud access.
Trey Herr, director of the Cyber Statecraft Initiative at Atlantic Council, said the failure showed that cloud security risks should be a higher priority.
Sophisticated hacker identity abuse “reveals a worrying weakness in how cloud computing giants invest in security, perhaps failing to adequately mitigate the risk of high-impact, low-probability failures in systems underlying their security model.” said Herr.
In testimony to the congress on Tuesday, Smith said only about 15 percent of the victims of the Solar Winds campaign were injured by Golden SAML. Even in these cases, hackers already had to have access to the systems before implementing the method.
However, Wyden’s staff said that one of these victims was the US Treasury, which lost emails from dozens of officials.
Reporting by Joseph Menn; edited by Jonathan Weber and Howard Goller