[German]Microsoft has admitted that the hackers who introduced the SolarWinds backdoor into the Orion software had access to project source code. Code could allegedly not be changed, however.
Since some weeks now, the SolarWinds hack has been a matter of concern for US authorities and IT companies (see link list at the end of the article). Suspected state attackers succeeded in infecting a DLL in SolarWinds’ Orion software with a backdoor called SOLARBURST. Since SolarWinds Orion products are used by many customers, the number of victims is enormous (potentially 18,000 people are said to be affected). In the article News in the fight against SUNBURST infection, domain seized I had mentioned some victims – the Wallstreet Journal article here gives a further overview. In the meantime, it has also become known that another backdoor was found on some victims (see 2nd backdoor found on infected SolarWinds systems and this article). It suggests that another hacker group is active in this field.
New CISA security advisory
As of December 30, 2020, the U.S. CISA has issued a security advisory to government agencies. This regulates how they must proceed when using SolarWinds Orion software. If Orion software versions 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, and 2020.2 HF1 were in use, the system is compromised. The instruction is to shut down and isolate the systems from the network.
Hacker had access to Microsoft’s source code
It has been known for some time that Microsoft has found the SOLARBURST backdoor on its systems (see SolarWinds hack: Microsoft and others also affected?). However, Microsoft has stated that the backdoor has not been actively exploited. Now there is a new development, as Microsoft has announced in this post that the SolarWinds attackers have access to various source codes.
The Microsoft investigation did not reveal any evidence of access to production services or customer data, the company writes. Nor have any Microsoft systems been used to attack others, it said. However, the investigation is still ongoing. In the meantime, however, it has become known that the hackers tried to access Microsoft source code.
Microsoft’s investigation found unusual activity on a small number of internal accounts. Further analysis revealed that one account was used to view source code in a number of source code repositories. Fortunately, this account had no authorization to modify code or technical systems. Investigations so far revealed that no changes could be made to the source code by the attackers.
Microsoft’s inner-source approach has proven to be successful. Employees from software development can indeed use the company’s source codes. But the structure is such that modifications may only be made by certain accounts. These “defense-in-depth” safeguards and controls within Microsoft probably stopped any attempt to modify the source code, according to the statement.
But the incident shows that even companies like Microsoft can never be sure they won’t be hacked. Reuters has published this article, in which external experts also comment on the case. Depending on the type of source code that could be viewed, the fear is that this could be used for further hacking attacks.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft’s analysis and news
2nd backdoor found on infected SolarWinds systems
Cookies helps to fund this blog: Cookie settings