Dive Brief:
- Microsoft wrapped up its internal investigation of the nation-state cyber campaign behind the SolarWinds attack, claiming its systems were not used to attack anyone else, according to a blogpost from the company. The attackers did not gain access to customer data or production services, the company said.
- However, the company confirmed the attackers accessed — and in some cases downloaded — small amounts of source code for Azure, Exchange and Intune, a cloud-based service to manage mobile devices and laptops.
- Microsoft said it will embrace two key lessons in security: maintaining a zero trust "assume breach" mindset and protecting privileged credentials, which will help customers secure their M365 from on-premises attacks.
Dive Insight:
Microsoft, which played a critical role in helping to detect and mitigate the damage from the historic nation-state attack, said it's ready to turn the page on what it calls Solorigate. However the company warned the industry must change how it handles data security to prevent a similar incident in the future.
Microsoft in late December disclosed that malicious actors viewed some source code in its repositories, however did not disclose which particular code was involved. Industry officials have questioned in recent weeks about whether Microsoft technology was used in any way as a vector to attack other members of the supply chain.
Without additional details, it remains unclear whether there is a continued security concern if the source code has been accessed.
"There is always a risk when source code has been exposed," Michael Dolinsky, CTO at Ermetic, said. "In the cloud it is difficult for hackers to find vulnerabilities because they do not have access to either the executables or the source code. So, they are limited to 'black box' attacks."
He added that once malicious actors have the source code, they may find vulnerabilities and figure out a way to exploit them.
As previously reported, companies ranging from Mimecast, Malwarebytes and other security firms were impacted by the supply chain attack. The Biden administration is investigating the attack to understand how it escaped detection for so long and how to prevent it from happening in the future.
U.S. officials have named Russia as the suspected source of the attack and the administration's new point person on SolarWinds, Anne Neuberger, warned this week the attack posed a threat to the country and has the potential for disruption.
The Senate Intelligence Committee is scheduled to hold a hearing on the SolarWinds attack on Feb. 23, featuring testimony from Microsoft President Brad Smith, SolarWinds CEO Sudhakar Ramakrishna, FireEye CEO Kevin Mandia and CrowdStrike CEO George Kurtz.
Microsoft is calling for customers to implement a zero trust architecture that assumes even the most trusted users are potential adversaries, said Vasu Jakkal, corporate vice president, security, compliance and identity at Microsoft, in a blogpost Thursday.
"In this approach, companies must assume all activity — even by trusted users — could be an attempt to breach systems, and everything a company does should be designed around that assumption," Jakkal said.
Companies need to take immediate steps to protect identities by limiting privileged access, as weak passwords and a lack of multifactor identification opened customers up to attack. Jakkal warned abandoned app accounts without multifactor identification were used to access privileged administrative settings in the cloud.
Microsoft also is urging companies to manage identity and access from the cloud, particularly in light of the large numbers of work being done remotely.
