Hacking

SolarWinds hackers had access to components used by Azure, Intune, and Exchange

Microsoft announced that SolarWinds hackers could have had access to repositories containing some components used by Azure, Intune, and Exchange.

Microsoft announced that the threat actors behind the SolarWinds supply chain attack could have had access to repositories containing the source code for a limited number of components used by Azure, Intune, and Exchange.

In December, Microsoft experts revealed that SolarWinds hackers could have compromised a small number of internal accounts and used at least one of them to view source code in a number of source code repositories.

Shortly after the disclosure of the SolarWinds attack, Microsoft confirmed that it was one of the companies breached in the recent supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.

Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment.

The good news is that accounding an investigation update provided by Microsoft the attackers hackers only viewed a few individual files.

However, for some repositories, including ones for Azure, Intune, and Exchange, the attackers could download component source code.

“There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search. For a small number of repositories, there was additional access, including in some cases, downloading component source code.” reads the update provided by Microsoft.

“These repositories contained code for:

  • a small subset of Azure components (subsets of service, security, identity)
  • a small subset of Intune components
  • a small subset of Exchange components”

The IT giant revealed that attackers used search terms in an attempt to find secrets, such as login credentials to use for lateral movements in the corporate networks.

Microsoft added that its development policy prohibits secrets in code, it uses automated tools to verify compliance.

“Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.” continues the company.

The SolarWinds attack demonstrated the importance of embracing a Zero Trust mindset and protecting privileged credentials.

“A Zero Trust, “assume breach” philosophy is a critical part of defense. Zero Trust is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data.” concludes Microsoft.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

42 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.