Microsoft has released additional details about the attack that compromised the infrastructure of Solarwinds which implemented a backdoor on the SolarWinds Orion network infrastructure management platform, which was used on Microsoft's corporate network.
Analysis of the incident showed that the attackers gained access to some Microsoft corporate accounts and during the audit, it was revealed that these accounts were used to access internal repositories with Microsoft product code.
It is alleged that the rights of the compromised accounts only allowed to see the code, but they did not provide the ability to make changes.
Microsoft has assured users that further verification has confirmed that no malicious changes have been made to the repository.
In addition, no traces of attackers' access to Microsoft customer data were found, attempts to compromise the services provided and the use of Microsoft's infrastructure to carry out attacks on other companies.
Since the attack on SolarWinds led to the introduction of a backdoor not only on the Microsoft network, but also in many other companies and government agencies using the SolarWinds Orion product.
The SolarWinds Orion backdoor update has been installed in the infrastructure of more than 17.000 customers from SolarWinds, including 425 of the affected Fortune 500, as well as major financial institutions and banks, hundreds of universities, many divisions of the US military and the UK, the White House, NSA, US Department of State USA and the European Parliament.
SolarWinds customers also include major companies such as Cisco, AT&T, Ericsson, NEC, Lucent, MasterCard, Visa USA, Level 3 and Siemens.
The backdoor allowed remote access to the internal network of SolarWinds Orion users. The malicious change was shipped with SolarWinds Orion versions 2019.4 - 2020.2.1 released from March to June 2020.
During the incident analysis, disregard for security emerged from large corporate systems providers. It is assumed that access to the SolarWinds infrastructure was obtained through a Microsoft Office 365 account.
The attackers gained access to the SAML certificate used to generate digital signatures and used this certificate to generate new tokens that allowed privileged access to the internal network.
Prior to this, in November 2019, outside security researchers noted the use of the trivial password "SolarWind123" for write access to the FTP server with SolarWinds product updates, as well as a leak of an employee's password. from SolarWinds in the public git repository.
Additionally, after the backdoor was identified, SolarWinds continued to distribute updates with malicious changes for some time and did not immediately revoke the certificate used to digitally sign its products (the issue arose on December 13 and the certificate was revoked on December 21 ).
In response to complaints on the alert systems issued by malware detection systems, Customers were encouraged to disable verification by removing false positive warnings.
Before that, SolarWinds representatives actively criticized the open source development model, comparing the use of open source to eating a dirty fork and stating that an open development model does not preclude the appearance of bookmarks and only a proprietary model can provide control over the code.
In addition, the US Department of Justice disclosed information that the attackers gained access to the Ministry's mail server based on the Microsoft Office 365 platform. The attack is believed to have leaked the contents of the mailboxes of some 3.000 Ministry employees.
For their part, The New York Times and Reuters, without detailing the source, reported an FBI investigation on a possible link between JetBrains and the SolarWinds engagement. SolarWinds used the TeamCity continuous integration system supplied by JetBrains.
It is assumed that the attackers could have gained access due to incorrect settings or the use of an outdated version of TeamCity that contains unpatched vulnerabilities.
JetBrains director dismissed speculation about connection of the company with the attack and indicated that they were not contacted by law enforcement agencies or SolarWinds representatives about a possible commitment by TeamCity to SolarWinds infrastructure.
Source: https://msrc-blog.microsoft.com