Accusation: Microsoft failed with security in the SolarWinds hack

[German]Security experts and U.S. Senator Ron Wyden are making serious accusations and accusing industry leader Microsoft of negligence. They say Microsoft failed to fix known problems with its cloud software and warn users. That, they say, is what enabled the massive SolarWinds hack that compromised at least nine federal agencies. An attack vector known as "golden SAML" played a role in this. Time to shed some light on the whole thing.


For months, numerous U.S. agencies and departments, as well as companies around the world, have been hacked through a backdoor in SolarWinds Orion, and attackers have managed to pull numerous documents. I first reported on these hacks of the U.S. security company FireEye as well as the U.S. Treasury Department and other U.S. agencies in the articlesUS Treasury and US NTIA hacked and FireEye hacked, Red Team tools stolen. Hackers had been able to look around their IT systems for months, read mails and pull documents. More articles can be found linked at the end of this post.

Reports from companies and government agencies that were hacked portray the hack as a sophisticated operation by a state sponsored group with around a thousand developers . That can't be completely dismissed when we look at the size of the operation. And the attackers' approach was also quite clever, although the question must be asked: were the protagonists among the victims too sure of themselves? In the blog post Sloppiness at SolarWinds responsible for compromised software? I had once picked out an aspect, how security was lived at the developer of the compromised Orion software, the company SolarWinds.

It has also been suggested that the outsourcing of development could be responsible for the supply chain attack (see SolarWinds hack: Hacker goals; outsourcing are under investigation?). But Microsoft is now also coming under pressure, or rather observers are actually asking the question: is Redmond doing enough to ensure the security of Microsoft systems. Once Microsoft itself became a victim of the hack (see SolarWinds hackers had access to Microsoft source code). In addition, I know that reported vulnerabilities are relativized and not fixed for months ("We are not aware of any cases of exploitation", "The exploitation is unlikely").

(Source: Pexels Markus Spiske CC0 License)

Microsoft and the golden SAML attack vector

JNow U.S. Senator Ron Wyden is attacking Microsoft, saying its negligence in removing known vulnerabilities contributed to the success of the hacking campaign in the first place. Reuters reported the facts a few hours ago in the article Microsoft failed to shore up defenses that could have limited SolarWinds hack: U.S. senator. An attack vector known as "golden SAML" was first publicly disclosed by security researchers in 2017.

Brief background on SAML

SAML stands for Security Assertion Markup Language, an XML framework for exchanging authentication and authorization information. It provides functions to describe and transmit security-related information. SAML was developed by the OASIS consortium starting in 2001. This consortium includes companies such as Sun Microsystems (acquired by Oracle), IBM, Nokia and SAP. During development, the following use cases were in mind:


  • Single sign-on: A user, after logging on to a Web application, is automatically authenticated to use other applications as well.
  • Distributed transactions: Multiple users collaborate on a transaction and share security information.
  • Authorization services: Communication with a service passes through an intermediate station that verifies authorization.

These services are to be provided primarily for web services. SAML consists of SAML assertions, the SAML protocol, SAML bindings and profiles.

The golden SAML attack vector

golden SAML is an attack vector discovered by security researchers at CyberArk Labs. The CyberArk Labs people recently hosted a webinar about it. There they demonstrated a new tool shimit that implements a golden SAML. This makes it possible to compromise an AWS account from a Microsoft domain.

In short, the golden SAML attack vector allows an attacker to create a SAML that is essentially a fake SAML "authentication object." This SAML allows an attacker to authenticate through any service that uses the SAML 2.0 protocol as an SSO mechanism. It's effectively like a master key with access to everything.

Microsoft's role in the matter

With its cloud services, Microsoft is widely used in many government agencies and companies. SAML is also used there for authentication. The golden SAML attack vector allows hackers to impersonate authorized employees to gain access to customers' cloud services. This technique was one of many used in the SolarWinds hack.

U.S. Senator Wyden, who as a member of the Senate Intelligence Committee has criticized tech companies on security and privacy issues, accuses Microsoft of not doing more to prevent or warn customers about fake identities. "The federal government spends billions on Microsoft software," Wyden told Reuters before a SolarWinds hearing on Friday in the House of Representatives. And then Wyden followed up with, "They [the federal government] should be wary of spending any more before we find out why the company didn't warn the government about the hacking technology that the Russians used that Microsoft knew about since at least 2017."

Role of golden SAML unclear

It's also worth noting that the golden SAML issue is anything but clear at the moment. Microsoft disputed Wyden's conclusions, telling Reuters that the design of its identity services was not flawed. Reuters cites a Microsoft lobbyist's response to written questions from U.S. Senator Wyden in early February 2021 that the attack vector known as golden SAML, "has never been used in an actual attack" and "has not been identified as a risk by intelligence agencies, nor has it been identified as such by civilian agencies." In other words, "worked as implemented" (worked as designed).

However, there was a public advisory as early as December 17, 2020, following the SolarWinds hack. There, the National Security Agency (NSA) called for closer monitoring of identity services, stating, "This SAML attack method has been known and used by cyber actors since at least 2017."

And in testimony before Congress on Tuesday, Microsoft President Brad Smith said that only about 15% of victims of the Solar Winds campaign were harmed via Golden SAML. Even in those cases, the hackers had to have already gained access to systems before using the method. Staffers for U.S. Senator Wyden leaked to Reuters that one of those victims was the U.S. Treasury Department. There, the email accounts of dozens of Treasury officials were probably spied on by the hackers for months.

The risk of the cloud

In a response to further questions from U.S. Senator Wyden this week, Microsoft was forced to admit "that its programs were not designed to detect the theft of identity tools used to grant cloud access." So if an attacker can forge a SAML, all doors are open to them via the cloud – all the highly praised security stuff is simply blind to it (it's not designed for that, because SAML is a chain of trust).

Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, is quoted by Reuters as saying that the flaw shows that cloud security risks should be a higher priority. His statement: the hackers' sophisticated misuse of identities reveals a worrisome weakness in the way cloud computing giants invest in security, perhaps by not sufficiently mitigating the risk of high-impact, low-probability failures in the systems that form the basis of their security model. Thanks to Gero for the hint.

Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Four more security vendors confirm SolarWinds incidents

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *