SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack

SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles.

ARTICLE TITLE HERE

SolarWinds CEO Sudhakar Ramakrishna verified Wednesday “suspicious activity” in its Office 365 environment allowed hackers to gain access to and exploit the SolarWinds Orion development environment.

Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability, Ramakrishna said.

“We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles,” he said in the blog post. “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”

id
unit-1659132512259
type
Sponsored post

The beleaguered Austin, Texas-based IT infrastructure management vendor said a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.

By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.

[Related: SolarWinds CEO: Attack Was ‘One Of The Most Complex And Sophisticated’ In History]

SolarWinds’s investigation has not identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, he said Wednesday. A day earlier, Ramakrishna told The Wall Street Journal that one of several theories the company was pursuing is that the hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.

Microsoft declined to comment to CRN. Ramakrishna said SolarWinds has analyzed data from multiple systems and logs, including from our Office 365 and Azure tenants, as part of its investigation. The SolarWinds hack is believed to be the work of the Russian foreign intelligence service.

“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products,” Ramakrishna wrote in a blog post Wednesday.

Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised to infect other firms the way SolarWinds was.

SolarWinds’s investigations will be ongoing for at least several more weeks, and possibly months, due to the sophistication of the campaign and actions taken by the hackers to remove evidence of their activity, he said. SolarWinds has not determined the exact date hackers first gained unauthorized access to the company’s environment, though innocuous code changes were first made to Orion in October 2019.

The hackers deleted programs following use to avoid forensic discovery and masqueraded file names and activity to mimic legitimate applications and files, he said. The hackers had automated dormancy periods of two weeks or more prior to activation and utilized servers outside the monitoring authority of U.S. intelligence, he said.

Going forward, Ramakrishna said SolarWinds plans to better secure its environment and systems against vulnerabilities by: upgrading to stronger and deeper endpoint protection; enhancing its data loss prevention offering to better detect low and slow leaks; expanding its Security Operations Center to improve visibility and threat hunting; and tightening its firewall policies to further limit east/west traffic.

From a zero trust standpoint, he said SolarWinds plans to increase and strictly enforce requirements for multi-factor authentication in its environment, and expand the use of a privilege access manager for admin accounts. As for third-party application access, SolarWinds plans to boost ongoing monitoring and inspection of SaaS tools and increase the level of pre-procurement security reviews for all vendors.

“While we believe our prior practices were representative of practices within the broader software industry, armed with what we’ve learned about this attack, we’re taking immediate steps to strengthen and protect our environment by implementing additional security practices,” Ramakrishna said.