BOSTON (AP) – Extensive hacking campaign Considered a serious threat to US national security, it has come to be known as SolarWinds, for the company whose software update has been seeded by Russian intelligence agencies with malware to penetrate sensitive government and private networks.
However, Microsoft was the code whose cyber spies constantly abused in the second stage of the campaign, passing through emails and other files with such valuable targets, such as the head of internal security, Chad Wolf , at that time – and jumping undetected among the networks of victims.
This placed the third most valuable company in the world on the hot spot. Because its products represent a de facto monoculture in government and industry – with more than 85% market share – federal lawmakers insist that Microsoft quickly upgrade security to what they say it should have offered first and without running away from taxpayers. .
Trying to allay its concerns, Microsoft last week offered all federal agencies a year of “advanced” security features at no extra cost. But it also tries to deflect guilt, saying customers don’t always make security a priority.
Microsoft’s external transaction risks were also mitigated when the Biden administration imposed sanctions On Thursday, half a dozen Russian IT companies said they supported hacking the Kremlin. The most prominent was Positive Technologies, which was among more than 80 companies that Microsoft provided with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said that Positive Tech is no longer in the program and removed its name from a list of participants on its website.
SolarWinds hackers took full advantage of what George Kurtz, CEO of the largest cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to extract at least nine U.S. government agencies – the Justice and Treasury departments , among them – and many others. over 100 private companies and think tanks, including software and telecommunications providers.
SolarWinds hackers abuse Microsoft identity and access architecture – which validates users’ identities and gives them access to e-mail, documents and other data – has done the most dramatic harm, the non-partisan Atlantic Council think tank said in a report. This differentiated the hack as “a large-scale coup”. In almost every case of post-intrusion malice, the intruders “walked silently through Microsoft products” sucking on emails and files from dozens of organizations.
Thanks in part to the mild book that victim networks have granted infected Solarwinds network management software administrative privileges, intruders could move sideways over them, even jumping between organizations. They used it to sneak in cybersecurity firm Malwarebytes and to target Mimecast customers, an email security company.
The “hallmark” of the campaign was the ability of intruders to identify legitimate users and create counterfeit credentials that allow them to retrieve data stored remotely from Microsoft Office, said the interim director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, in a mid-March hearing. . “It was all because they compromised those systems that manage trust and identity in networks,” he said.
Microsoft President Brad Smith said at a congressional hearing in February that only 15 percent of victims were compromised by an authentication vulnerability first identified in 2017. – allowing intruders to impersonate authorized users by printing the approximate equivalent of counterfeit passports.
Microsoft officials point out that updating SolarWinds has not always been the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and lack of multi-factor authentication of victims. But critics say the company took security too lightly. Senator Ron Wyden, D-Ore., Verbally beat Microsoft for failing to provide federal agencies with a level of “event logging” that, if it had not detected ongoing SolarWinds hacking, would have at least provided evidence to respondents of the place where the intruders were and what they saw and removed.
“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set the default recording settings to capture the information needed to detect ongoing hacks, ”Wyden said. He was not the only federal parliamentarian to complain.
When Microsoft announced on Wednesday a year of free security registration for federal agencies, for which he normally charges a premium, Wyden was not at peace.
“This move is far from what is needed to compensate for Microsoft’s recent failures,” he said in a statement. “The government will still not have access to important security features without handing over even more money to the same company that created this cyber security pit.”
Representative Jim Langevin, DR.I., pressured Smith in February on the sale of the safety record, comparing it to the manufacture of seat belt and car airbag options when they should be standard. He congratulated Microsoft on the one-year postponement, but said a longer-term conversation was needed about “not being a profit center.” He said that “this buys us a year”.
Even the highest level of recording does not prevent break-ins. It just makes it easier to detect them.
And remember, many security professionals notice that Microsoft has compromised itself by SolarWinds intruders, who had access to part of its source code – its crown jewels. The full package of Microsoft security products – and some of the most skilled cyber defense practitioners in the industry – had failed to detect the ghost of the network. FireEye, the cyber security firm that first detected the hacking campaign in mid-December, has been alerted to its own breach.
The intruders in the unrelated hack of the Microsoft Exchange e-mail servers revealed in March – blamed on Chinese spies – used completely different methods of infection. But they gained immediate high-level access to users’ e-mail and other information.
Throughout the industry, Microsoft’s investment in security is widely recognized. It is often the first to identify major cyber security threats, as its network visibility is so high. But many argue that as the leading provider of security solutions for its products, it needs to be more careful about how much it should profit from defense.
“The bottom line is that Microsoft is selling you disease and healing,” said Marc Maiffret, a cybersecurity veteran who has built a career in finding vulnerabilities in Microsoft products and has a new startup in work called BinMave.
Last month, Reuters reported that a $ 150 million payment to Microsoft for a “secure cloud platform” was included in a draft project to spend $ 650 million allocated to the Cyber Security and Infrastructure Agency. in the $ 1.9 trillion pandemic rescue act.
A Microsoft spokesman would not say how much money, if any, he would receive by sending the question to the cybersecurity agency. No agency spokesman, Scott McConnell, would say. Langevin said he did not think a final decision had been made.
In the September budget year, the federal government spent more than half a billion dollars on Microsoft software and services.
Many security experts believe that Microsoft’s unique connection model, which emphasizes user comfort versus security, is poised for reorganization to reflect a world in which state-backed hackers now routinely run over US networks.
Alex Weinert, Microsoft’s director of identity security, said it offers customers various ways to strictly limit user access. to what they need to do their job. But attracting customers can be difficult, as it often means abandoning three decades of IT habits and disrupting business. Customers tend to set up too many accounts with global administrative privileges that have allowed SolarWinds campaign abuses, he said. “It’s definitely not the only way I can do that.”
In 2014-2015, lax access restrictions helped Chinese spies steal sensitive personal data from more than 21 million current, former and potential federal employees at the Office of Personnel Management.
Curtis Dukes was the head of the National Security Agency’s intelligence service at the time.
OPM has shared data between several agencies that use Microsoft’s authentication architecture, giving more users access than they should be secure, said Dukes, now CEO of the Nonprofit Center for Internet Security.
“People took their eyes off the ball.”