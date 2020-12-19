Microsoft Corp. on Friday said its systems were exposed to the same malware used in the Russia-linked hack that targeted U.S. states and government agencies the day before. However, the company maintained that investigations so far show the malicious software wasn’t used to attack others and didn’t impact customer data or outward-facing systems.

The company is a customer of SolarWinds Corp., whose software the hackers are believed to have used to gain access to networks by installing malicious code. Later the company spokesperson Frank Shaw clarified Microsoft found code related to that cyber-attack, which was isolated and removed. Shaw also said, “We have not found evidence of access to production services or customer data."

So far, Microsoft has found “a few instances" of the SolarWinds malware in its computers, but no signs of further encroachment, Microsoft President and Chief Legal Officer Brad Smith said Friday in a Bloomberg Television interview. “We are still investigating, to be clear, but we found no indications the attackers were able to go from that point to create vulnerabilities in our products or services," he said.

On Friday, Shaw tweeted a Microsoft Threat Intelligence Center has published a detailed description of the hack against the US Government and American companies.

Microsoft Threat Intelligence Center has published a detailed description of the hack against the US Government and American companies (via @JohnLaTwC)https://t.co/aGSWYUEjkX — Miguel de Icaza (@migueldeicaza) December 18, 2020

He also attached the blog post along with the tweet. The blog said, while the full extent of the compromise is still being investigated by the security industry as a whole, here we are sharing insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack.

Here are the facts that you need to know about the attack:

The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry.

The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.

The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline.

Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions—and keep a low profile.

The challenge in detecting these kinds of attacks means organizations should focus on solutions that can look at different facets of network operations to detect ongoing attacks already inside the network, in addition to strong preventative protection.

Reuters reported Thursday that Microsoft was hacked and that its systems were used to attack other entities, citing people familiar with the matter.

Any successful cyber-attack on Microsoft, the world’s largest software maker and the second-biggest cloud-infrastructure provider, could damage its standing as a trusted provider of cloud software and security services. The software giant’s involvement emerged as the wider repercussions of the far-reaching hack became more clear. SolarWinds’ customers include government agencies and Fortune 500 companies, according to the company and cybersecurity experts. The departments of Homeland Security, Treasury, Commerce and State were breached, according to a person familiar with the matter. The U.S. nuclear weapons agency and at least three states were also hacked.

The broader cyber attack

Separately, Microsoft said Thursday in a blog post about the broader cyber-attack that it identified and has been working this week to notify more than 40 customers that the hackers targeted more precisely and compromised through additional and sophisticated measures. Those 40 include institutions in eight countries, Smith said in the interview Friday. Amid its investigation of its own networks, Microsoft also had 500 employees helping customers monitor and cope with the attack.

All told, probably several dozen to several hundred companies and organizations will be found to have been hacked, Smith said.

“It’s alarming because it is so sophisticated, its reach is so broad and it’s reckless -- it put at risk the technology supply chain for the global economy," he said.

Subscribe to Mint Newsletters * Enter a valid email * Thank you for subscribing to our newsletter.

Share Via