Access Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Microsoft: Office 365 Was Not SolarWinds Initial Attack Vector
SolarWinds CEO Says No Office 365 Vulnerability Pinpointed as Entry PointMicrosoft's security team says the company's Office 365 suite of products did not serve as an initial entry point for the hackers who waged the SolarWinds supply chain attack.
And SolarWinds' CEO, in a new blog, says the company "has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment." The incident, he says, involved the compromise of an email account through the theft of credentials.
See Also: Gartner Market Guide for DFIR Retainer Services
Microsoft also points to credential theft. "In our investigations to date, data hosted in Microsoft services - including email - was sometimes a target in the [SolarWinds-related] incidents, but the attacker had gained privileged credentials in some other way," according to Microsoft's security team, which published a blog Thursday.
In a December 2020 8-K filing with the U.S. Security and Exchange Commission, SolarWinds seemed to imply that the hackers used Office 365 as an attack vector.
"SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the company’s emails and may have provided access to other data contained in the company’s office productivity tools," the company wrote in its SEC filing.
But SolarWinds CEO Sudhakar Ramakrishna wrote in a Wednesday blog post: "While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365. We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion [network monitoring platform] development environment."
Ramakrishna took over as SolarWinds CEO on Jan. 4, about one month after the supply chain attack became public.
Microsoft's Assessment
In its Thursday blog, the Microsoft team says the compromise techniques leveraged by the SolarWinds hackers included "password spraying, spear-phishing and use of webshell through a web server and delegated credentials."
Earlier this week, acting CISA Director Brandon Wales told The Wall Street Journal that the SolarWinds cyberespionage operation gained access to targets using a multitude of methods, including password spraying and through exploits of vulnerabilities in cloud software (see: SolarWinds Hackers Cast a Wide Net).
"As part of the investigative team working with FireEye, we were able to analyze the attacker’s behavior with a forensic investigation and identify unusual technical indicators that would not be associated with normal user interactions. We then used our telemetry to search for those indicators and identify organizations where credentials had likely been compromised by the [SolarWinds hackers]," Microsoft's security team says.
But Microsoft says it's found no evidence that the SolarWinds hackers used Office 365 as an attack vector.
"We have investigated thoroughly and have found no evidence they [SolarWinds] were attacked via Office 365," the Microsoft researchers say. "The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation."
Who Was Behind the Attack?
SolarWinds' Ramakrishna and Alex Stamos, the former Facebook CSO and now a partner in the Krebs Stamos Group, hosted two webinars on Thursday to relay how SolarWinds is working to ensure the company is better prepared to defend against other cyberattacks.
Stamos, who now is serving as an adviser to SolarWinds, began by directly attributing the attack to the Russian foreign intelligence arm, the SVR.
SolarWinds, CISA and other government investigators have previously named Russia as the likely protagonist behind what appears to have been a cyberespionage campaign.
Ramakrishna and Alex Stamos made a series of recommendations for how SolarWinds and other companies can help protect themselves against sophisticated attacks waged by SVR and others. For example, they recommended implementing pen testing, multifactor authentication, DevSecOps practices and identity management system audits as well as focusing on accountability for all code.
Ramakrishna says SolarWinds will make its full recommendations public soon.
SolarWinds: The Backstory
In their supply chain attack, hackers added a backdoor dubbed "Sunburst" into SolarWinds' Orion network monitoring software perhaps as early as September 2019, according to the company's analysis.
Up to 18,000 customers installed and ran the Trojanized software when they made updates. The hackers then used Sunburst to further target some of those customers. Intelligence experts have suggested that about 300 organizations may have been hit with these more advanced hack attacks, which could have led to data exfiltration, eavesdropping - including email inbox access - and follow-on attacks against business partners.