



The sprawling hacking campaign, seen as a serious threat to US national security, has become SolarWinds, for the company whose software update was seeded by Russian intelligence operatives with malware to penetrate government and private networks sensitive.

Yet it was Microsoft whose code cyber spies consistently abused during the campaign’s second stage, rummaging through emails and other files of targets as important as then-sitting Homeland Security chief Chad Wolf. , and jumping undetected among victim networks.

This put the world’s third most valuable company in the spotlight. Because its products are a de facto monoculture in government and industry with over 85% market share, federal lawmakers insist Microsoft quickly improve security to what they say it had to provide first. place, and without defrauding taxpayers.

Seeking to allay concerns, Microsoft last week offered all federal agencies a year of advanced security features at no additional cost. But he also seeks to deflect the blame, saying it’s the customers who don’t always make safety a priority.

The risks of Microsoft’s foreign transactions were also relieved when the Biden administration on Thursday imposed sanctions on half a dozen Russian IT companies that it said support the Kremlin hack. The most important was Positive Technologies, which was among more than 80 companies to which Microsoft provided rapid access to data on vulnerabilities detected in its products. Following the announcement of the sanctions, Microsoft said Positive Tech was no longer part of the program and removed its name from a list of participants on its website.

SolarWinds hackers took full advantage of what George Kurtz, CEO of leading cybersecurity firm CrowdStrike, called systematic weaknesses in key pieces of Microsoft code to exploit at least nine US government agencies, the Justice and Treasury Departments , among them and more than 100 private companies. and think tanks, including software and telecommunications providers.

SolarWinds hackers’ abuse of Microsoft’s identity and access architecture, which validates the identity of users and gives them access to email, documents and other data, has caused most harm, the non-partisan Atlantic Council think tank said in a report. This distinguished the hack as a coup from widespread intelligence. In almost all post-intrusion mischief cases, intruders “silently walked around Microsoft products, sucking up emails and files from dozens of organizations.”

Thanks in part to the white card that victimized networks granted to infected Solarwinds network management software in the form of administrative privileges, intruders could move sideways through them and even jump between organizations. They used it to sneak into cybersecurity firm Malwarebytes and to target customers of Mimecast, an email security firm.

The hallmark of the campaign was the ability of intruders to impersonate legitimate users and create forged credentials that enabled them to retrieve data stored remotely by Microsoft Office, said the Acting Director of Cybersecurity. Infrastructure and Security Agency, Brandon Wales, at a Congressional hearing in mid-March. All because they compromised those systems that manage trust and identity on networks, he said.

Microsoft President Brad Smith said in a February Congressional hearing that only 15% of victims were compromised by an authentication vulnerability first identified in 2017, allowing intruders to impersonate authorized users by striking the approximate equivalent of counterfeit passports.

Microsoft officials point out that updating SolarWinds was not always the entry point; intruders have sometimes taken advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company has taken security too lightly. Senator Ron Wyden, D-Ore., Verbally criticized Microsoft for failing to provide federal agencies with a level of event logging that, had he not detected the ongoing SolarWinds hack, would at least have provided responders a recording of where the intruders were and what they saw and removed.

Microsoft chooses the default settings in the software it sells, and although the company has known for years about the hacking technique used against US government agencies, the company has not set any default logging settings for capture the information needed to spot ongoing hacks, Wyden said. He was not the only federal lawmaker to complain.

When Microsoft announced a year of free security logging for federal agencies on Wednesday, for which it normally charges a premium, Wyden was not appeased.

The move falls far short of what is needed to make up for Microsofts’ recent failures, he said in a statement. “The government will still not have access to important security features without handing over even more money to the same company that created this cybersecurity chasm.

Rep Jim Langevin, DR.I., had pressed Smith in February on the up-sell of safety logging, comparing it to making seat belt and airbag options in cars when they should be. series. He praised Microsoft on the one-year reprieve, but said a longer-term conversation was due to it not being a profit center. He said “This buys us a year.”

However, even the highest level of logging does not prevent break-ins. This only makes them easier to detect.

And remember, many security professionals note, Microsoft itself was compromised by intruders from SolarWinds, who gained access to some of its source code, its crown jewels. Microsofts’ full line of security products and some of the industry’s most skilled cyber defense practitioners had failed to detect the ghost in the network. He was alerted to his own breach by FireEye, the cybersecurity company that first detected the hack campaign in mid-December.

The intruders in the independent hack of Microsoft Exchange mail servers revealed in March blamed on Chinese spies used entirely different infection methods. But they got immediate high-level access to email and other user information.

Across the industry, Microsofts’ investments in security are widely recognized. He is often the first to identify major cybersecurity threats, his visibility on networks is so great. But many argue that as a leading provider of security solutions for its products, it needs to be more attentive to the benefits it should derive from defense.

The bottom line is Microsoft is selling you the disease and the cure, said Marc Maiffret, a cybersecurity veteran who has built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.

Last month, Reuters reported that a $ 150 million payment to Microsoft for a secure cloud platform was included in a draft plan to spend the $ 650 million allocated to the Agency for Cybersecurity and Security. infrastructure security under last month’s $ 1.9 trillion pandemic relief law.

A Microsoft spokesperson did not say how much, if any, of that money he would earn, referring the matter to the cybersecurity agency. A spokesperson for the agency, Scott McConnell, would not say so either. Langevin said he didn’t think a final decision had been made.

In the fiscal year ending in September, the federal government spent over half a billion dollars on Microsoft software and services.

Many security experts believe that Microsoft’s single sign-on model, which emphasizes user convenience over security, is ripe for retooling to reflect a world where hackers backed by the state now regularly ignores American networks.

Alex Weinert, director of identity security at Microsoft, said it offers customers several ways to strictly limit user access to what they need to do their jobs. But getting customers to move forward can be difficult because it often means giving up three decades of IT habit and disrupting business. Customers tend to set up too many accounts with the broad global administrative privileges that allowed the abuse of the SolarWinds campaign, he said. That’s not the only way to do it, that’s for sure.

In 2014-2015, lax access restrictions helped Chinese spies steal sensitive personal data from more than 21 million current, former and prospective federal employees in the Office of Personnel Management.

Curtis Dukes was the head of information assurance for the National Security Agency at the time.

The OPM shared data between multiple agencies using Microsoft’s authentication architecture, securely granting access to more users than it should have, said Dukes, now CEO of the Center. for Internet Security non-profit.

People looked away from the ball.

