BOSTON (AP): The extensive hacking campaign considered a serious threat to U.S. national security was known as SolarWinds, for the company whose software update was created by Russian intelligence agents with malicious software to penetrate private networks and sensitive government officials.
However, it was Microsoft whose code cyberespies persistently abused in the second stage of the campaign, analyzing emails and other files of high-value targets such as the then head of Homeland Security, Chad Wolf , and jumping undetected among victim networks.
This has placed the third most valuable company in the world in the first place. Because its products are a de facto monoculture to government and industry (with more than 85% market share), federal lawmakers insist that Microsoft quickly update security to what they say it should have provided in the first place. without running away from taxpayers.
Aiming to allay concerns, Microsoft last week offered all federal agencies a year of “advanced” security features at no additional cost. But he also wants to divert blame, saying it’s customers who don’t always make security a priority.
Risks related to Microsoft’s international transactions were also alleviated when the Biden administration imposed sanctions On Thursday, half a dozen Russian IT companies said they supported Kremlin hacking. The highlight was Positive Technologies, which was among more than 80 companies that Microsoft has provided with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said Positive Tech was no longer in the program and removed its name from a list of participants on its website.
SolarWinds hackers took full advantage of what George Kurtz, CEO of leading cybersecurity company CrowdStrike, called “systematic weaknesses” in key elements of Microsoft’s code to extract at least nine U.S. government agencies (Justice departments and Finance, among them) and well over 100 private companies and think tanks, including software and telecommunications providers.
The abuse of SolarWinds hackers on Microsoft’s identity and access architecture – which validates users’ identities and allows them access to email, documents and other data – caused the most dramatic damage, the non-partisan Atlantic Council think tank said in a report. This differentiated the hack as “a widespread intelligence coup”. In almost every case of malice after the intrusion, the intruders “moved silently through Microsoft products” sucking up emails and files from dozens of organizations. “
Thanks in part to the white paper that victim networks granted to Solarwinds ’infected network management software in the form of administrative privileges, intruders could move sideways, even jumping between organizations. They used it to sneak the cybersecurity company Malwarebytes and aimed at Mimecast customers, an email security company.
The “hallmark” of the campaign was the ability of intruders to impersonate legitimate users and create fake credentials that allow them to capture data stored remotely by Microsoft Office, the acting director of the Cybersecurity and Infrastructure Agency said. Brandon Wales, at a hearing in mid-March Congress. . “It was all because they compromised those systems that manage trust and identity in networks,” he said.
Microsoft President Brad Smith said at a hearing in February that only 15% of victims were compromised by an authentication vulnerability first identified in 2017 – allow intruders to impersonate authorized users by minting the approximate equivalent of forged passports.
Microsoft officials point out that updating SolarWinds was not always the starting point; intruders sometimes took advantage of vulnerabilities such as weak passwords and the lack of multifactor authentication of victims. But critics say the company took security too lightly. Senator Ron Wyden, D-Ore., Verbally beat Microsoft for failing to provide federal agencies with a level of “event log” that, if it had not detected ongoing SolarWinds piracy, would have at least provided respondents with a log of ‘where the intruders were and what they saw and took out.
“Microsoft chooses the default configuration of the software it sells, and although the company knew for years about the hacking technique used against U.S. government agencies, the company did not configure the default registry settings to capture the information needed to detecting hackers in progress, “Wyden said. dit. He was not the only federal legislator to complain.
When Microsoft announced on Wednesday a year of free security registration for federal agencies, for which he normally charges a premium, Wyden was not appeased.
“This move is far below what is needed to make up for Microsoft’s recent failures,” it said in a statement. “The government will still not have access to important security functions without handing over even more money to the same company that created this cybersecurity mourning.”
Rep. Jim Langevin, DR.I., had pressured Smith in February over the sale of safety record, comparing it to making seat belts and airbags in cars when they should be standard. He congratulated Microsoft on the one-year amortization, but said it owes a long-term conversation about “not being a profit center.” He said “this buys us a year.”
Even the highest level of registration does not prevent breakages. It just makes it easier to spot them.
And remember, many security professionals point out that Microsoft was committed by SolarWinds intruders, who had access to some of their source codes: their crown jewels. The complete set of Microsoft security products, and some of the most skilled cyber defense professionals in the industry, had failed to detect the ghost on the net. FireEye, the cybersecurity company that first detected the hacking campaign in mid-December, was alerted to its own breach.
Intruders in the unrelated hacking of Microsoft Exchange e-mail servers reported in March, guilty of Chinese spies, used completely different methods of infection. But they gained instant high-level access to users ’email and other information.
Throughout the industry, Microsoft’s investments in security are widely recognized. He is often the first to identify the main cybersecurity threats, his visibility on the networks is so great. But many argue that, as a leading provider of security solutions for their products, they need to be more mindful of how much they should benefit from defense.
“The crux of the matter is that Microsoft is selling you disease and cure,” said Marc Maiffret, a cybersecurity veteran who built a career looking for vulnerabilities in Microsoft products and has a new startup in the works called BinMave.
Last month, Reuters reported that a $ 150 million payment to Microsoft for a “secure cloud platform” was included in a draft bill to spend the $ 650 million allocated to the Cyber Security Agency. and Infrastructure in the $ 1.9 trillion pandemic relief law last month.
A Microsoft spokesman would not say how much, if any, of that money he would get, by referring the question to the cybersecurity agency. An agency spokesman, Scott McConnell, would not say so either. Langevin said he did not believe a final decision had been made.
In the budget year that ended in September, the federal government spent more than half a million dollars on Microsoft software and services.
Many security experts believe that Microsoft’s single sign-on model, which emphasizes user comfort over security, is poised to re-equip itself to reflect a world where hackers now support the state routinely operates through American networks.
Alex Weinert, Microsoft’s director of identity security, said it offers customers several ways to strictly limit user access. to what they need to do their job. But getting customers to get along can be difficult because it often means giving up three decades of computer habit and disrupting the business. Customers tend to set up too many accounts with the vast global administrative privileges that allowed the abuses of the SolarWinds campaign, he said. “It’s not the only way to do it, of course.”
In 2014-2015, lax access restrictions helped Chinese spies steal sensitive personal data about more than 21 million current, past and future federal employees from the Office of Personnel Management.
Curtis Dukes was the head of information security for the National Security Agency at the time.
OPM shared data between various agencies using Microsoft’s authentication architecture, granting access to more users than it should have securely, said Dukes, now CEO of the Nonprofit Center for Internet Security. .
“People took their eyes off the ball.”