SolarWinds hackers had access to components used by Azure, Intune, and Exchange

Pierluigi Paganini February 18, 2021

Microsoft announced that SolarWinds hackers could have had access to repositories containing some components used by Azure, Intune, and Exchange.

Microsoft announced that the threat actors behind the SolarWinds supply chain attack could have had access to repositories containing the source code for a limited number of components used by Azure, Intune, and Exchange.

In December, Microsoft experts revealed that SolarWinds hackers could have compromised a small number of internal accounts and used at least one of them to view source code in a number of source code repositories.

Shortly after the disclosure of the SolarWinds attack, Microsoft confirmed that it was one of the companies breached in the recent supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.

SolarWinds attacks MS

Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment.

The good news is that accounding an investigation update provided by Microsoft the attackers hackers only viewed a few individual files.

However, for some repositories, including ones for Azure, Intune, and Exchange, the attackers could download component source code.

“There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search. For a small number of repositories, there was additional access, including in some cases, downloading component source code.” reads the update provided by Microsoft.

“These repositories contained code for:

  • a small subset of Azure components (subsets of service, security, identity)
  • a small subset of Intune components
  • a small subset of Exchange components”

The IT giant revealed that attackers used search terms in an attempt to find secrets, such as login credentials to use for lateral movements in the corporate networks.

Microsoft added that its development policy prohibits secrets in code, it uses automated tools to verify compliance.

“Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.” continues the company.

The SolarWinds attack demonstrated the importance of embracing a Zero Trust mindset and protecting privileged credentials.

“A Zero Trust, “assume breach” philosophy is a critical part of defense. Zero Trust is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data.” concludes Microsoft.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment