The suspected Russian hackers behind the worst U.S. cyber attack in years leveraged reseller access to Microsoft Corp services to penetrate targets that had no compromised network software from SolarWinds Corp, investigators said.
While updates to SolarWinds’ Orion software was previously the sole known point of entry, security company CrowdStrike Holdings Inc said Thursday hackers had won access to the seller that sold it Office licenses and used that to undertake to read CrowdStrike’s email.
It didn’t specifically identify the hackers as being those that compromised SolarWinds, but two people conversant in CrowdStrike’s investigation said they were. CrowdStrike uses Office programs for data processing but not email. The failed attempt, made months ago, was acknowledged to CrowdStrike by Microsoft on Dec. 15.
CrowdStrike, which doesn’t use SolarWinds, said it had found no impact from the intrusion attempt and declined to call the reseller.
“They came through the reseller’s access and tried to enable mail ‘read’ privileges,” one among the people conversant in the investigation told in an interview. “If it had been using Office 365 for email, it might be game over.”
Many Microsoft software licenses are sold through third parties, and people companies can have near-constant access to clients’ systems because the customers add products or employees. Microsoft said Thursday that those customers got to be vigilant. “Our investigation of recent attacks has found incidents involving abuse of credentials to realize access, which may be available in several forms,” said Microsoft senior Director Jeff Jones. “We haven’t identified any vulnerabilities or compromise of Microsoft product or cloud services.”
The use of a Microsoft reseller to undertake to interrupt into a top digital defense company raises new questions on what percentage avenues the hackers, whom U.S. officials have alleged are operating on behalf of the Russian government, have at their disposal.
The known victims thus far include CrowdStrike security rival FireEye Inc and therefore the U.S. Departments of Defense, State, Commerce, Treasury, and Homeland Security . Other big companies, including Microsoft and Cisco Systems Inc, said they found tainted SolarWinds software internally but had not found signs that the hackers used it to range widely on their networks.
Until now, Texas-based SolarWinds was the sole publicly confirmed channel for the initial break-ins, although officials were warning for days that the hackers had other ways in.
It was reported every week ago that Microsoft products were utilized in attacks. But federal officials said that they had not seen it as an initial vector, and therefore the software giant said its systems weren’t utilized within the campaign. (here) Microsoft then hinted that its customers should still be wary. At the top of an extended , technical blog post on Tuesday, it used one sentence to say seeing hackers reach Microsoft 365 Cloud “from trusted vendor accounts where the attacker had compromised the vendor environment.”
Microsoft requires its vendors to possess access to client systems so as to put in products and permit new users. But discovering which vendors still have access rights at any given time is so hard that CrowdStrike developed and released an auditing tool to try to do that. After a series of other breaches through cloud providers, including a serious set of attacks attributed to Chinese government-backed hackers and referred to as CloudHopper, Microsoft this year imposed new controls on its resellers, including requirements for multi factor authentication.
The Cybersecurity and Infrastructure Security Agency and therefore the National Security Agency had no immediate comment.
Also Thursday, SolarWinds released an update to repair the vulnerabilities in its flagship network management software Orion following the invention of a second set of hackers that had targeted the company’s products.
That followed a separate Microsoft blog post on Friday saying that SolarWinds had its software targeted by a second and unrelated group of hackers additionally to those linked to Russia.
The identity of the second set of hackers, or the degree to which they’ll have successfully broken anywhere, remains unclear.
Russia has denied having any role within the hacking.