SolarWinds Hack: ‘All is Well,’ Microsoft Shrugs

Microsoft would like you to know it’s finished investigating the SolarWinds breach of its network, and everything’s just fine. Not a thing to worry about. Everything’s tickety-boo.

Well, the thieves did steal some source code. But only little bits. Nothing important. And there were no hard-coded credentials, because Microsoft would never use those. Scout’s honor.

This is all a bit too neat and tidy for my liking. In today’s SB Blogwatch, we check under the rug.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bedlam DL3 (director’s cut).

“Trust Us (Except Don’t)”

What’s the craic? Lawrence Abrams reports—“Microsoft: SolarWinds hackers downloaded some Azure, Exchange source code”:

 In December, it was disclosed that the SolarWinds’ network management company suffered a sophisticated cyberattack that allowed hackers to create a supply chain attack targeting the company’s customers. [And then] Microsoft announced in December that they were affected by the attack and that hackers could gain access to a limited amount of source code repositories.

Today, Microsoft [said that] for some repositories, including ones for Azure, Intune, and Exchange, the attackers could download … “a small subset of” … source code. … Microsoft’s investigation determined that the accessed code did not contain any credentials. … Microsoft states that their investigation has shown that it is essential to assume a ‘Zero Trust’ philosophy.

So, “Everything’s okay, trust us.” Except, “Don’t trust us,” right? Catalin Cimpanu adds—“hackers downloaded some … source code”:

 Microsoft’s security team said [it] found no evidence that hackers … pivot[ed] and attack[ed] customers. [And] that, based on the search queries attackers performed … the intruders appeared to have been focused on locating secrets (aka access tokens) that they could use to expand their access to other Microsoft systems.

But … the hackers also managed to download some code. However, Microsoft said the … the intruders only downloaded the source code of a few components related to some of its cloud-based products. … All in all, the incident doesn’t appear to have damaged Microsoft’s products or have led to hackers gaining extensive access to user data.

I see the sticky fingers of Microsoft PR all over this so-called “blog post”:

 We believe the … incident is an opportunity to work with the community, to share information, strengthen defenses and respond to attacks. We have now completed our internal investigation [and] confirm that we found no evidence of access to production services or customer data. [We] also found no indications that our systems … were used to attack others.

The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance.

Protecting credentials is essential. In deployments that connect on-premises infrastructure to the cloud, organizations can delegate trust to on-premises components. This creates an additional seam that organizations need to secure. … If the on-premises environment is compromised, this creates opportunities for attackers to target cloud services.

Phew. That’s okay then? Not so fast, says Slayer:

 Microsoft claims that the code seen by the attackers contained no hard coded … credentials, and they almost make it sound like, “Nothing to see here, please move along.” That sigh of relief may be a bit premature, though.

The attackers seemed to have focused their attention on security and identity components, which are exactly the parts likely containing the most critical as of yet unknown vulnerabilities, and those with the highest impact. We’ll … see how many urgent security fixes these products will receive over the next few months.

Fair point. Well made. And El Chupageek agrees:

 Those are pretty good subsets to target if an attacker wants to hunt for vulns for future operations: An Intune vuln would be a great way to gain access to a wide variety of mobile devices, and Azure identity is basically the foundation of all of MS cloud services, so definitely an interesting target.

Hope MS is being extra special paranoid about assessing those code bases right now.

However, Lee D foresees a different outcome:

 The next day they receive a note from the thieves with, “You can keep this junk,” written on it. Oh, and a patch for the 20 security flaws they found just glancing at it.

And The_Assimilator looks further afield:

 How the **** is SolarWinds still in business? … Orion is their main product and it should never be used again, period.

Who knows what inherent flaws it has that the hackers discovered and set aside for a rainy day? In short it’s completely compromised and if I was a company using it, I would have uninstalled it from everything and cancelled the support contract months ago.

Yet here we are and everything appears to be just fine. Does that mean that (horror) companies are still using Orion? Does it mean that Microsoft (mind-numbing horror!) is still using Orion?

Pulling the threads back together, it’s heresie-dabord with this powerful excoriation:

 Microsoft’s “system of trust” was undermined. The attacker was even inside Microsoft and Azure. No anti-virus, no “Defender”, no amount of basic or advanced telemetry caught this.

The major purveyor of OS and security products itself was compromised. No company, no $agency did due diligence. Some of these victims are supposed to be in the business of high-assurance and due diligence.

None of the systems that we are conditioned to believe to be effective actually worked. And it was a standard use-case for all the victims.

The real “elephant in the room” is that software security continues to be marketing theatre. Closed-source software should not be trusted and consumers should not believe that any due diligence has been done to protect them.

Meanwhile, randomcat distills Microsoft’s report into witchcraft precis:

 ”Based on which pages they ripped out of our magic tomes, we can infer which spells they stole.”

And Finally:

Bedlam DL3: The definitive account

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Dan Taylor/Heisenberg Media (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 680 posts and counting.See all posts by richi