The SolarWinds breach has claimed its second reported private-sector victim, with hackers capitalizing on Microsoft’s wide use of SolarWinds to infiltrate the software giant, Reuters said.
Just like with SolarWinds, Reuters reported that Microsoft’s own products were then used to further the attacks on other victims. It wasn’t immediately clear how many Microsoft users were affected by the company’s tainted products, according to Reuters, citing people familiar with the matter.
A Microsoft spokesperson told CRN in an email that they believe the sources for the Reuters report are “misinformed or misinterpreting their information.”
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and remove,” according to the spokesperson. “We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
The company’s stock was down $1.17 (0.53 percent) to $218.25 in after-hours trading Thursday.
The Reuters report comes just hours after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it has evidence of additional initial access vectors beyond the SolarWinds Orion supply chain compromise. However, CISA said the other intrusion methods are still being investigated.
It is likely that the hackers have additional initial access vectors that haven’t yet been discovered, CISA wrote a 17-page cyber activity alert. Specifically, CISA said it’s investigating incidents where the adversaries exhibit behavior consistent with the SolarWinds hackers but the victims either don’t use SolarWinds Orion or no SolarWinds exploitation activity was observed.
The Reuters report indicates that SolarWinds also served as the initial access vendor to Microsoft. FireEye was also compromised via SolarWinds, as were the U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce, according to reports from Reuters and others.
CRN reported Tuesday that Microsoft had become ensnared in probes surrounding the colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name. Microsoft didn’t at the time provide an on-the-record response to CRN questions about if the company itself was breached as part of this campaign.
Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters said Sunday. On Monday, SolarWinds said it was made aware of an attack vector that was used to compromise the company’s Microsoft Office 365 emails.
As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
Then on Thursday, CISA said it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.
One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.
Additionally, Microsoft said Sunday the hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates. They could also use their administrator privileges to grant additional permissions to the target Application or Service Principal, according to Microsoft.
Microsoft further observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
“These observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,” CISA wrote.