[German]We all know that security has been a priority at Microsoft for years – no kidding. And every Windows is the best and most secure Windows ever. Whistleblower and ex-employee Andrew Harris says Microsoft ignored his warnings about an Active Directory flaw for years. In 2020, Harris left the company, and in 2020 the SolarWinds hack probably occurred via this vulnerability. At Microsoft, features and gimmicks take precedence over security. These are serious allegations, but they sound plausible.
Advertising
A cyber incident in 2016
Ex-employee Andrew Harris was hired by Microsoft for his exceptional ability to keep hackers out of the most sensitive computer networks in the US. Before joining Microsoft, Harris worked for the US Department of Defense. In 2016, there was a mysterious incident where intruders had somehow infiltrated a major American technology company. Harris investigated the whole thing and made a disturbing discovery.
The attackers had infiltrated Microsoft's cloud, leaving barely a trace – so something was up. Harris focused his investigations into the hack on the application for logging into the cloud. There, he discovered a vulnerability that allowed attackers to impersonate legitimate users and access all the data in the respective user account. A security nightmare, everyone who used the software was at risk. This was the case regardless of whether the victim used Microsoft or another cloud provider such as Amazon.
Warning of vulnerability
Harris recognized the problem and was concerned about the security of the US government and the country. He therefore alerted his colleagues at Microsoft to the problem. The application, which millions of users use to log in, had a vulnerability (in the Active Directory, according to my reading).
Propublica, which made the case public in the blog post Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says, writes that Harris' colleagues at Microsoft saw the "problem" a little differently. The US government was in the process of making a massive move into cloud computing. Microsoft feared that admitting this security vulnerability could jeopardize the company's chances of securing a deal. At least that's what Harris was told by a Microsoft product manager.
Advertising
Harris was made aware of the financial consequences of a deal falling through – the threat of losing a multi-billion dollar business and the threat of Microsoft falling behind in the rat race for cloud market share. The vulnerability was therefore not made public and, according to Harris, he tried in vain to get Microsoft to fix it in the years that followed. Those responsible at Microsoft always dismissed the warnings and said that they were working on a long-term alternative.
In the meantime, the Microsoft cloud service remained vulnerable to attacks worldwide. Harris was sure that someone would eventually figure out how to exploit the vulnerability. He had found a temporary solution to mitigate the vulnerability. But this would have required customers to disable single sign-on (SSO). With SSO, the user can access almost all programs used at the workplace with just a single login.
He rushed to warn Propublica, some of Microsoft's most sensitive customers about the threat. For example, he personally oversaw the remediation of the vulnerability at the New York Police Department. Frustrated by Microsoft's inaction, he left the company in August 2020.
Vulnerability exploited in SolarWinds hack in 2020
In 2020, the infamous SolarWinds hack occurred via the Golden SAML vulnerability. This is an attack technique that exploits the SAML authentication protocol and was used against Solarwinds by the hacker group Nobelium in 2020. The hacking group Nobelium, also known as Midnight Blizzard or Cozy Bear, injected malicious code into Solarwinds' Orion IT management software, infecting thousands of organizations, including the U.S. government. Following this attack, the Cybersecurity Infrastructure Security Agency (CISA) recommended that organizations with hybrid identity environments switch SAML authentication to a cloud identity system such as Entra ID.e SAML-Authentifizierung auf ein Cloud-Identitätssystem wie Entra ID umzustellen.
According to the Propublica article, however, the vulnerability discovered by Harris (i.e. Golden SAML) was the reason why the hacker group Nobelium was able to hack Solarwinds. In the article, Propublica writes that Harris' statements are supported by interviews with former colleagues and employees as well as social media posts.
When the SolarWinds supply chain attack became public, Microsoft made it clear that the company was not to blame. Brad Smith, president at Microsoft, assured Congress at a hearing in 2021 that there was "no vulnerability in any Microsoft product or service that was exploited in SolarWinds", writes Propublica. And there was a hint that Microsoft customers could have done more to protect themselves.
Harris now contradicts this, because customers never had the opportunity to protect themselves better (unless they do without Microsoft products). Of course, Harris's comments throw the prevailing public image of the SolarWinds hack into disarray. Harris now works for CrowdStrike. This is a cyber security company that competes with Microsoft.
Harris said: "The decisions are not based on what's best for Microsoft's customers, but what's best for Microsoft." ProPublica writes that Microsoft declined an interview with Smith or other high-ranking executives on the subject. A Microsoft spokesperson responded to ProPublica: "Protecting customers is always our top priority. Our security team takes all security issues seriously and reviews each case with due diligence, conducting a thorough manual assessment and coordinating with engineering and security partners. Our assessment of this issue was reviewed multiple times and was in line with industry consensus." Microsoft, on the other hand, did not dispute ProPublica's findings.
Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Four more security vendors confirm SolarWinds incidents
New variant of the Solarwinds attack technique discovered in 2020
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack
Advertising
