Solarigate, the malware used in the SolarWinds cyberattacks is often delivered through Microsoft products. It is one of the most dangerous and damaging cyber incidents ever and stems from the SolarWinds Orion app. While Microsoft is not directly involved in the breach, the company’s assertions its software was not a gateway for attacks seem to be false.
SolarWinds related attacks have infected 18,000 organizations, including government agencies. Earlier this week, Microsoft claimed to Business Insider that its services were not a vector for the malware:
“Through all of our roles in different investigations, we have not identified any software vulnerability in Microsoft products or cloud services that led to compromise,” a Microsoft spokesperson said. “In all cases, Microsoft services were a target in the incidents, after an attacker had gained privileged credentials in some other way.”
Despite Microsoft’s claims, the way the SolarWinds incident has unfolded makes it clear the company’s software has been used. Last month, the U.S. Department of Justice confirmed a Microsoft 365 breach related to the SolarWinds attack. According to the government agency, the breach left 3% of its mailbox vulnerable. However, no classified information was stolen during the attack.
As Microsoft continues to push for a unified response to the attacks, it is strange it is ignoring the role it’s own software plays. Especially as the problem is not with Microsoft services themselves. Russia-backed threat actors used the avsvmcloud.com website to host a server for the Solorigate malware. The infection was sent to 18,000 SolarWinds Orion customers.
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed Microsoft software was used in attacks. In fact, the agency says it is unaware of any other cloud software being used to deliver solarigate. In January, Malwarebytes found attacks that came through Microsoft Azure and Office 365.
Microsoft’s seemingly robust response to the attacks and call for global action is not born out by some facts. For example, the company is sharing technical data to help organizations mitigate attacks, but some says Microsoft is not being transparent.
When the SolarWinds problem exploded, Microsoft president Brad Smith celebrated the company as “first responders” to the issue. In December, Smith said the attack creates “serious technological vulnerability for the United States and the world”.
Cybersecurity firm Tenable founder Ron Gula told Business Insider Microsoft is offering mixed messages:
“Where is the one comprehensive statement on Microsoft’s role in SolarWinds? They’re the size of a small country. They’ve done some good things helping to stop SolarWinds, but they also got hacked. I haven’t seen the full transparency there.”
In December, the Cybersecurity and Infrastructure Security Agency (CISA) debuted a PowerShell tool to help Microsoft 365 customers mitigate Solarigate. Microsoft had recently confirmed stolen Azure/Microsoft 365 credentials and access tokens were a part of the breach.
Cyber company FireEye admitted it had been breached in December. One Microsoft critic believes this action shows the contrast with Microsoft:
“This has been a PR hit for Microsoft,” claims cybersecurity investor Mike Janke, cofounder of Data Tribe. “FireEye did it the right way, but Microsoft knew more than they said.”
Tip of the day:
To prevent attackers from capturing your password, Secure Sign-in asks the user to perform a physical action that activates the sign-in screen. In some cases, this is a dedicated “Windows Security” button, but the most common case in Windows 10 is the Ctrl+Alt Del hotkey. In our tutorial, we show you how to activate this feature.