The suspected Russian hackers behind the worst US cyberattack in years used reseller access to Microsoft Corp services to penetrate targets where SolarWinds Corp network software was not compromised. While updates to SolarWinds’ Orion software have been the only known entry point so far, security firm CrowdStrike Holdings Inc announced that hackers on Thursday had gained access to the vendor that sold the Office licenses and tried to use it to access the emails from CrowdStrike. The hackers weren’t specifically identified as those who compromised SolarWinds, but two people familiar with CrowdStrike’s investigation said they did. CrowdStrike uses Office programs for word processing, but not for email. The failure, made months ago, was reported to CrowdStrike on December 15th by Microsoft.
CrowdStrike, not using SolarWinds, said it had not seen any impact from the intrusion attempt and declined to name the reseller. “You came in via the reseller’s access and tried to activate e-mail read permissions,” one of the people familiar with the investigation told Reuters. “If Office 365 had been used for email, it would be game over.” Many Microsoft software licenses are sold through third parties, and those companies have almost constant access to customers’ systems as customers add products or employees. Microsoft said Thursday these customers need to be vigilant. “Our investigation into the recent attacks has revealed incidents where credentials have been misused to gain access. These can take many forms,” said Jeff Jones, Microsoft senior director. “We did not find any weaknesses or compromises in Microsoft products or cloud services.” Using a Microsoft reseller to try to break into a top digital defense company raises new questions about how many options are available to the hackers that US officials supposedly operate on behalf of the Russian government.
Known victims include CrowdStrike security competitor FireEye Inc and the U.S. Department of Defense, State, Commerce, Treasury, and Homeland Security. Other large companies, including Microsoft and Cisco Systems Inc, said they found tainted SolarWinds software internally, but found no evidence that the hackers used it to gain wide reach on their networks. So far, Texas-based SolarWinds has been the only publicly confirmed channel for the initial break-ins, though officials have been warning for days that the hackers had other options.
Reuters reported a week ago that Microsoft products were used in attacks. But federal officials said they didn’t see it as the first vector, and the software giant said its systems weren’t used in the campaign. (https://www.reuters.com/article/idUSKBN28R2ZJ) Microsoft then indicated that its customers should continue to be careful. At the end of a long technical blog post on Tuesday, it was mentioned in one sentence that hackers can access Microsoft 365 Cloud “from trusted provider accounts where the attacker has compromised the provider environment”.
Microsoft requires its vendors to access client systems in order to install products and allow new users. However, it is so difficult to find out which vendors still have access rights at any given point in time that CrowdStrike developed and released an auditing tool to do it. After a number of other violations by cloud vendors, including a number of attacks caused by Chinese government-backed hackers known as CloudHopper, Microsoft this year imposed new controls on its resellers, including requirements for multi-factor Authentication.
The Cybersecurity and Infrastructure Security Agency and the National Security Agency had no immediate comment.
Also on Thursday, SolarWinds released an update to address vulnerabilities in its flagship network management software, Orion, after a second group of hackers was discovered targeting the company’s products. It was followed by a separate Microsoft blog post on Friday which found that SolarWinds’ software was targeted by a second and unrelated group of hackers in addition to Russia-related hackers. The identity of the second group of hackers or the extent to which they successfully broken into somewhere remains unclear. Russia has denied playing a role in the hacking.
(This story was not edited by GossipMantri staff and is automatically generated from a syndicated feed.)