Microsoft has been embroiled in polls around the colossal hack of the recently released US government, with media reports and company messages focused on Office 365, Azure Active Directory and a key domain name.
According to reports, two key victims of the nation’s massive piracy campaign had their Microsoft Office 365 accounts hacked. Russian intelligence hackers monitored the emails of staff sent for months. through Office 365 in the National Telecommunications and Information Administration (NTIA) of the Department of Commerce after being introduced into NTIA office software, Reuters reported Sunday.
The hackers are “highly sophisticated” and were able to trick Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident. The Commerce Department said one of its offices had been breached, but did not respond to an investigation into the role of Office 365 in the attack.
[Related: US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach]
Microsoft did not provide a recorded answer to CRN’s questions about whether the company itself failed to comply as part of this campaign and about the importance of Microsoft’s technology in the ability of hackers to exploit customers. Microsoft said Sunday in a blog post that its research has not identified any vulnerabilities in the Microsoft product or service in the cloud. Once an attacker has compromised a target network, they may have access to various systems, according to a source familiar with the situation. “
On Monday, SolarWinds said an attack vector was released that was used to compromise the company’s Microsoft Office 365 emails, according to a document filed with the U.S. Securities and Exchange Commission (SEC). Hackers had gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion network monitoring software, FireEye said in a blog Sunday.
That same attack vector could have provided access to other data contained in SolarWinds ’Office 365 office productivity tool, the company said. SolarWinds said it is examining with Microsoft whether any customer, personal or other data was leaking as a result of this commitment, but has found no evidence at this time of leakage.
“SolarWinds, in collaboration with Microsoft, has taken remedial action to resolve the compromise and is investigating whether further remediation steps are needed, in what time period this compromise existed and whether the compromise is associated with the attack on its Orion software building system, ”the company wrote in its SEC filing.
As for Azure, hackers were able to forge a token claiming to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote on Sunday. Hackers could also obtain administrative privileges from Azure AD with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multifactor authentication.
“Having achieved a significant step in the local environment, the actor has made changes to Azure Active Directory settings to facilitate long-term access,” the Microsoft Security Research Center wrote.
It was observed that hackers added new federation trusts to an existing tenant or modified the properties of an existing federation trust to accept tokens signed with hacker ownership certificates, Microsoft said. They could also use their administrator privileges to grant additional permissions to the target application or primary service, according to Microsoft.
Microsoft also noted that hackers added password credentials or x509 certificates to legitimate processes, giving them the ability to read mail content from Exchange Online using Microsoft Graph or Outlook REST. Examples of this include mail archiving applications, the firm said. Permissions usually, but not always, only consider the identity of the application instead of the permissions of the current user.
And, from a domain perspective, Microsoft on Monday took control of a key domain name that SolarWinds hackers used to communicate with systems compromised by back-door Orion product updates, it reported Tuesday KrebsOnSecurity. Microsoft has a long history of controlling domains related to malware, especially when these sites are used to attack Windows clients.
Armed with that access, KrebsOnSecurity said Microsoft should soon have an idea of which and how many SolarWinds customers were affected. KrebsOnSecurity said Microsoft now has information about which organizations have IT systems that are still trying to ping the malicious domain.
“However, because many Internet service providers and affected companies are already blocking systems access to this malicious control domain or have disconnected vulnerable Orion services, Microsoft’s visibility may be somewhat limited,” KrebsOnSecurity warned. .
According to a source familiar with the situation, the dolí is part of the protection work that Microsoft is doing in collaboration with industry partners. In a responds to a tweet from Krebs, Microsoft spokesman Jeff Jones wrote: “In cybersecurity, we need a global people … thank you for everyone doing their part!”
FireEye declined to comment, while GoDaddy, which is the current domain registrar for malware control servers, told CRN in a statement that it worked closely with FireEye, Microsoft and others to help keep the Internet safe. GoDaddy said it cannot provide more data due to an ongoing investigation and the company’s customer privacy policy.