Russian hackers used Microsoft vendors to attack customers
Russian hackers believed to be behind America’s worst cyber attack in years exploited reseller access to Microsoft Corp’s services to penetrate targets who had no compromised SolarWinds Corp network software, investigators said .
While updates to SolarWinds’ Orion software were previously the only known entry point, security firm CrowdStrike Holdings Inc said on Thursday that hackers gained access to the vendor who sold them Office licenses and had used it to try to read CrowdStrike’s email.
He did not specifically identify the hackers as the ones who compromised SolarWinds, but two people familiar with the CrowdStrike investigation said they were. CrowdStrike uses Office programs for word processing, but not for e-mail. The failed attempt, made months ago, was reported to CrowdStrike by Microsoft on December 15.
CrowdStrike, which does not use SolarWinds, said it found no impact from the attempted intrusion and declined to name the reseller.
“They entered through the dealer access and tried to activate the privileges of ‘reading’ mail,” one of the people familiar with the investigation told Reuters. “If he had used Office 365 for email, the game would have been over.”
Many Microsoft software licenses are sold through third parties, and these companies may have near constant access to customer systems as customers add products or employees. Microsoft said Thursday that those customers need to be vigilant. “Our investigation of recent attacks revealed incidents involving misuse of credentials to access, which can take many forms,” said Jeff Jones, senior manager of Microsoft. “We have not identified any vulnerabilities or compromises in Microsoft products or cloud services.”
Using a Microsoft reseller to try to break into a leading digital defense company raises new questions about the number of avenues hackers, who US officials say operate on behalf of the Russian government, have to their disposition.
Known victims so far include CrowdStrike’s security rival, FireEye Inc, and the US departments of Defense, State, Commerce, Treasury, and Homeland Security. Other large companies, including Microsoft and Cisco Systems Inc, said they found corrupt SolarWinds software internally, but found no signs that hackers were using it to spread widely across their networks.
So far, Texas-based SolarWinds has been the only publicly confirmed channel for the initial burglaries, although authorities have been warning for days that hackers had other means to enter.
Reuters reported a week ago that Microsoft products had been used in attacks. But federal officials said they didn’t see it as an initial vector, and the software giant said its systems were not being used in the campaign.
Microsoft then hinted that its customers should always be wary. At the end of a lengthy technical blog post on Tuesday, he used a phrase to mention seeing hackers accessing Microsoft 365 Cloud “from trusted vendor accounts where the attacker compromised the vendor’s environment.” .
Microsoft requires its vendors to have access to client systems in order to install products and authorize new users. But finding out which providers still have access rights at any given time is so difficult that CrowdStrike has developed and released an auditing tool to do so. After a slew of other breaches through cloud providers, including a major set of attacks attributed to Chinese government-backed hackers known as CloudHopper, Microsoft this year imposed new controls on its resellers. , including requirements for multi-factor authentication.
The Agency for Cybersecurity and Infrastructure Security and the National Security Agency did not immediately comment.
Also Thursday, SolarWinds released an update to address vulnerabilities in its flagship network management software Orion following the discovery of the second group of hackers who had targeted the company’s products.
This followed a separate Microsoft blog post on Friday that said SolarWinds had its software targeted by a second unrelated group of hackers in addition to those linked to Russia.
The identity of the second group of hackers, or the extent to which they managed to break into any location, remains unclear.
Russia has denied playing a role in the hacking.