Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny

Microsoft has become ensnared in probes surrounding the colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.


Microsoft has become ensnared in probes surrounding the recently disclosed colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.

Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.

The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.

Sponsored post

[Related: US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach]

Microsoft didn’t provide an on-the-record response to CRN questions about if the company itself was breached as part of this campaign, and how significant Microsoft’s technology was in the hackers’ ability to exploit customers. Microsoft said in a blog post Sunday that its investigations haven’t identified any Microsoft product or cloud service vulnerabilities. Once an attacker has compromised a target network, they potentially have access to a range of systems, according to a source familiar with the situation.”

On Monday, SolarWinds said it was made aware of an attack vector that was used to compromise the company’s Microsoft Office 365 emails, according to a filing with the U.S. Securities and Exchange Commission (SEC). Hackers had gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion network monitoring software, FireEye said in a blog Sunday.

That same attack vector might have provided access to other data contained in SolarWinds’ Office 365 office productivity tool, the company said. SolarWinds said it’s probing with Microsoft if any customer, personnel or other data was exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at this time of exfiltration.

“SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether the compromise is associated with the attack on its Orion software build system,” the company wrote in its SEC filing.

As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.

“Having gained a significant foothold in the on-premises environment, the actor has made modifications to Azure Active Directory settings to facilitate long term access,” the Microsoft Security Research Center wrote.

The hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates, Microsoft said. They could also use their administrator privileges to grant additional permissions to the target Application or Service Principal, according to Microsoft.

Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.

And from a domain perspective, Microsoft on Monday took control over a key domain name that was used by the SolarWinds hackers to communicate with systems compromised by the backdoor Orion product updates, KrebsOnSecurity reported Tuesday. Microsoft has a long history of seizing control of domains involved with malware, particularly when those sites are being used to attack Windows clients.

Armed with that access, KrebsOnSecurity said Microsoft should soon have some idea which and how many SolarWinds customers were affected. That’s because Microsoft now has insight into which organizations have IT systems that are still trying to ping the malicious domain, KrebsOnSecurity said.

“However, because many Internet service providers and affected companies are already blocking systems from accessing that malicious control domain or have disconnected the vulnerable Orion services, Microsoft’s visibility may be somewhat limited,” KrebsOnSecurity cautioned.

The sinkhole is part of the protective work Microsoft is doing in collaboration with industry partners, according to a source familiar with the situation. In a reply to a Krebs tweet, Microsoft spokesman Jeff Jones wrote “In cybersecurity, it takes a global village ... thanks to everyone doing their part!”

FireEye declined to comment, while GoDaddy - which is the current domain registrar for the malware control servers - told CRN in a statement that it worked closely with FireEye, Microsoft and others to help keep the internet safe and secure. GoDaddy said it’s unable to provide any more specifics due to an ongoing investigation and the company’s customer privacy policy.