mcloudy.png
Thursday June 24th, 2021 2:42PM

SolarWinds hacking campaign puts Microsoft in the hot seat

By The Associated Press
Related Articles
  Contact Editor

BOSTON (AP) — The sprawling hacking campaign deemed a grave threat to U.S. national security came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks.

Yet it was Microsoft whose code the cyber spies persistently abused in the campaign's second stage, rifling through emails and other files of such high-value targets as then-acting Homeland Security chief Chad Wolf — and hopping undetected among victim networks.

This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.

Seeking to assuage concerns, Microsoft this past week offered all federal agencies a year of “advanced” security features at no extra charge. But it also seeks to deflect blame, saying it is customers who do not always make security a priority.

Risks in Microsoft's foreign dealings also came into relief when the Biden administration imposed sanctions Thursday on a half-dozen Russian IT companies it said support Kremlin hacking. Most prominent was Positive Technologies, which was among more than 80 companies that Microsoft has supplied with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said Positive Tech was no longer in the program and removed its name from a list of participants on its website.

The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.

The SolarWinds hackers' abuse of Microsoft’s identity and access architecture — which validates users' identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders "silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”

Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, an email security company.

The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.

Microsoft President Brad Smith told a February congressional hearing that just 15% of victims were compromised through an authentication vulnerability first identified in 2017 — allowing the intruders to impersonate authorized users by minting the rough equivalent of counterfeit passports.

Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D-Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.

“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.

When Microsoft on Wednesday announced a year of free security logging for federal agencies, for which it normally charges a premium, Wyden was not appeased.

“This move is far short of what’s needed to make up for Microsoft’s recent failures,” he said in a statement. "The government still won’t have access to important security features without handing over even more money to the same company that created this cybersecurity sinkhole.”

Rep. Jim Langevin, D-R.I., had pressed Smith in February on the security logging upsell, comparing it to making seat belts and air bags options in cars when they should be standard. He commended Microsoft for the one-year reprieve, but said a longer-term conversation is due about it “not being a profit center." He said "this buys us a year.”

Even the highest level of logging doesn't prevent break-ins, though. It only makes it easier to detect them.

And remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry's most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.

The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users' email and other info.

Across the industry, Microsoft’s investments in security are widely acknowledged. It is often first to identify major cybersecurity threats, its visibility into networks is so great. But many argue that as the chief supplier of security solutions for its products, it needs to be more mindful about how much it should profit off defense.

“The crux of it is that Microsoft is selling you the disease and the cure,” said Marc Maiffret, a cybersecurity veteran who built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.

Last month, Reuters reported that a $150 million payment to Microsoft for a “secure cloud platform” was included in a draft outline for spending the $650 million appropriated for the Cybersecurity and Infrastructure Security Agency in last month's $1.9 trillion pandemic relief act.

A Microsoft spokesperson would not say how much, if any, of that money it would be getting, referring the question to the cybersecurity agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn't think a final decision has been made.

In the budget year ending in September, the federal government spent more than half a billion dollars on Microsoft software and services.

Many security experts believe Microsoft's single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.

Alex Weinert, Microsoft's director of identity security, said it offers various ways for customers to strictly limit users’ access to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014-2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management.

Curtis Dukes was the National Security Agency's head of information assurance at the time.

The OPM shared data across multiple agencies using Microsoft's authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.

“People took their eye off the ball."

___

This story was first published on April 17, 2021. It was updated on April 23, 2021, to correct the details of how Microsoft detected the related breach of its network. Microsoft responders, not the cybersecurity firm FireEye, discovered the intrusion on Microsoft’s network after FireEye alerted Microsoft that SolarWinds’ customers had been infiltrated.

  • Associated Categories: Associated Press (AP), AP National News, AP Online National News, Top General short headlines, AP Online Headlines - Washington, AP Online Congress News, AP Business, AP Technology News
© Copyright 2021 AccessWDUN.com
All rights reserved. This material may not be published, broadcast, rewritten, or redistributed without permission.
Four Sikhs among victims of Indianapolis mass shooting
Four members of Indianapolis’ tight knit Sikh community were among the eight people killed in the mass shooting at a FedEx warehouse
11:09AM ( 5 minutes ago )
SolarWinds hacking campaign puts Microsoft in the hot seat
The sprawling hacking campaign came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate government and private networks
11:04AM ( 10 minutes ago )
The Latest: Prince Philip interred at St George's Chapel
Prince Philip has been interred in the Royal Vault at St. George’s Chapel alongside the remains of 24 other royals, including three kings of England
10:58AM ( 15 minutes ago )
Associated Press (AP)
Iran names suspect in Natanz attack, says he fled country
Iran state television has named a suspect in the attack that damaged centrifuges at its Natanz nuclear site and says he fled the country
10:15AM ( 59 minutes ago )
The Latest: Britain observes minute of silence for Philip
People across Britain have observed one minute of silence in honor of the late Prince Philip just before his royal ceremonial funeral got underway inside St. George’s Chapel at Windsor Castle
10:13AM ( 1 hour ago )
Prince Philip's funeral procession gets ready in Windsor
Military banks played and Queen Elizabeth II joined a procession ahead of a funeral for her husband, Prince Philip, at Windsor Castle
9:59AM ( 1 hour ago )
AP National News
Cuomo retreats from open news briefings that made him a star
New York Gov. Andrew Cuomo has lately shied away from coming face to face with reporters as he faces sexual harassment allegations
8:09AM ( 3 hours ago )
Fires, damage at Oakland protest against police brutality
A protest that began peacefully in California ended with multiple fires set, several cars damaged and numerous windows shattered
7:36AM ( 3 hours ago )
The Latest: Philip's coffin in Inner Hall ahead of funeral
Prince Philip’s coffin has been moved from the royal family’s private chapel at Windsor Castle to the castle’s Inner Hall ahead of his funeral
6:19AM ( 4 hours ago )
AP Online National News
China says US-Japan actions are stoking division
China has hit back at the U.S.-Japan show of alliance during talks between President Joe Biden and Japan Prime Minister Yoshihide Suga, calling it an ironic attempt of stoking division
7:47AM ( 3 hours ago )
Gov. Kemp faces next test from Trump loyalists in Georgia
Georgia Gov. Brian Kemp and former President Donald Trump face key tests Saturday in Georgia as many local Republican committees consider proposals to censure the governor for not reversing President Joe Biden’s November victory over Trump
12:20AM ( 10 hours ago )
After outcry, WH says Biden will lift refugee cap in May
Facing swift blowback from allies and aid groups, the White House says President Joe Biden plans to lift his predecessor’s historically low cap on refugees by next month
12:15AM ( 10 hours ago )
AP Online Headlines - Washington
Colorado lawmaker: Slavery policy didn't impugn humanity
Democrats in Colorado have condemned a Republican lawmaker for saying an 18th century policy designating a slave as three-fifths of a person “was not impugning anybody’s humanity.”
6:27PM ( 16 hours ago )
Colorado GOP lawmaker: Slavery policy didn't impugn humanity
Democrats in Colorado have condemned a Republican lawmaker for saying a 18th century policy designating a slave as three-fifths of a person “was not impugning anybody’s humanity.”
6:13PM ( 17 hours ago )
'Hillbilly' to Capitol Hill? Author eyes Senate bid in Ohio
“Hillbilly Elegy” author J
2:40PM ( 20 hours ago )
AP Online Congress News
Star British choreographer Liam Scarlett dies at 35
Choreographer Liam Scarlett, a dance star whose career was clouded by abuse allegations, has died at age 35
8:22AM ( 2 hours ago )
American, 2 Russians return to Earth from space station
An American astronaut and two Russians have returned to Earth after six months aboard the International Space Station
6:09AM ( 5 hours ago )
AP Interview: Beijing says US 'too negative' toward China
A top Chinese diplomat has called U.S. policy on China “too negative,” saying it highlights confrontation over cooperation
11:23PM ( 11 hours ago )
AP Business
As voting fight moves westward, accusations of racism follow
Democrats are escalating their charges that the Republican push for tighter state voting laws is designed to make it hard for people of color to vote
11:11AM ( 2 minutes ago )
Four Sikhs among victims of Indianapolis mass shooting
Four members of Indianapolis’ tight knit Sikh community were among the eight people killed in the mass shooting at a FedEx warehouse
11:09AM ( 5 minutes ago )
The Latest: Prince Philip interred at St George's Chapel
Prince Philip has been interred in the Royal Vault at St. George’s Chapel alongside the remains of 24 other royals, including three kings of England
10:58AM ( 15 minutes ago )
Prince Philip is laid to rest as somber queen sits alone
Queen Elizabeth II is sitting alone in the quire of St. George’s Chapel during the funeral of Prince Philip, the man who had been by her side for 73 years
10:56AM ( 18 minutes ago )
Divers back in Gulf; search resumes for capsized boat's crew
The Coast Guard says divers returned Saturday to the murky, roiling waters of the Gulf of Mexico in search of lost crew members aboard a capsized lift boat off Louisiana
10:55AM ( 18 minutes ago )