[ad_1]
WASHINGTON: Suspected Russian hackers behind the worst American cyberattack in years took advantage of resellers’ access to Microsoft services to penetrate targets that did not have compromised SolarWinds network software, researchers said.
While SolarWinds Orion software updates were previously the only known point of entry, security company CrowdStrike said on Thursday (December 24) that hackers had gained access to the vendor that sold the Office licenses and used it to try to read email from CrowdStrike.
It didn’t specifically identify the hackers as the ones who compromised SolarWinds, but two people familiar with the CrowdStrike investigation said it did.
CrowdStrike uses Office programs for word processing, but not for email. The failed attempt, made months ago, was pointed out to CrowdStrike by Microsoft on December 15.
CrowdStrike, which does not use SolarWinds, said it found no impact on the intrusion attempt and declined to name the reseller.
“They came in through reseller access and tried to enable mail ‘read’ privileges,” one of the people familiar with the investigation told Reuters. “If I had been using Office 365 for email, it would be over.”
Many Microsoft software licenses are sold through third parties, and those companies can have almost constant access to customer systems as customers add products or employees.
Microsoft said Thursday those customers should be vigilant.
“Our investigation of recent attacks has found incidents related to the abuse of credentials to gain access, which can come in various forms,” said Microsoft Senior Director Jeff Jones. “We have not identified any vulnerabilities or compromises in Microsoft’s cloud products or services.”
Using a Microsoft reseller to try to break into a major digital defense firm raises new questions about how many avenues are available to hackers, who according to US officials operate on behalf of the Russian government.
Known victims so far include CrowdStrike’s security rival FireEye and the US Departments of Defense, State, Commerce, Treasury, and Homeland Security. Other large companies, including Microsoft and Cisco Systems, said they found tainted SolarWinds software. internally, but they had found no signs of hackers using it to widely reach their networks.
The SolarWinds logo is seen outside of its headquarters in Austin, Texas, on December 18, 2020. (Photo: REUTERS / Sergio Flores)
Until now, Texas-based SolarWinds was the only publicly confirmed channel for the initial raids, though officials have been warning for days that hackers had other ways to get in.
Reuters reported a week ago that Microsoft products were used in attacks. But federal officials said they had not seen it as an initial vector, and the software giant said its systems were not used in the campaign.
Microsoft later hinted that its customers should still be cautious. At the end of a long, technical blog post on Tuesday, he used a sentence to mention that the hackers came to Microsoft 365 Cloud “from trusted vendor accounts where the attacker had compromised the vendor environment.”
Microsoft requires its vendors to have access to customer systems in order to install products and allow new users. But finding out which vendors still have access rights at any given time is so difficult that CrowdStrike developed and released an auditing tool to do so.
READ: ‘What is the alternative?’ SolarWinds Drives Results for Security Companies
After a series of other breaches through cloud providers, including a significant set of attacks attributed to Chinese government-backed hackers known as CloudHopper, Microsoft this year imposed new controls on its resellers, including requirements for the multi-factor authentication.
The Infrastructure and Cybersecurity Security Agency and the National Security Agency did not immediately comment.
Also on Thursday, SolarWinds released an update to fix vulnerabilities in its flagship network management software, Orion, following the discovery of a second group of hackers who had targeted the company’s products.
That followed a separate Microsoft blog post on Friday that said SolarWinds had its software run by a second group of unrelated hackers in addition to those linked to Russia.
The identity of the second group of hackers, or the degree to which they may have successfully entered either location, remains unclear.
Russia has denied having any role in the piracy.
