SolarWinds attackers managed to gain access to Microsoft code

Microsoft has posted additional details about the attack, accomplished through compromising SolarWinds infrastructure and introducing a backdoor into the network infrastructure management platform SolarWinds Orion , which was used in the Microsoft corporate network. Analysis of the incident showed that the attackers gained access to some corporate Microsoft accounts. Although the audit revealed that these accounts were used to access internal repositories with the code of Microsoft products.

Allegedly, the rights of the compromised accounts allowed only viewing the code, but did not provide for the possibility of making changes. Microsoft has assured users that additional verification has confirmed that no malicious changes have been introduced into the repository. Also, no traces of attackers ‘access to Microsoft clients’ data, attempts to compromise the provided services, and the use of Microsoft infrastructure to carry out attacks on other companies were found.

Recall that SolarWinds compromise has resulted in a backdoor not only to Microsoft’s network, but to many other companies and government agencies that use SolarWinds Orion. SolarWinds Orion’s backdoor update has been installed on the infrastructures of over 17,000 SolarWinds customers, including 425 of the 500 Fortune 500 companies affected, as well as major financial institutions, hundreds of universities, many divisions of the US and UK military, the White House, NSA. US State Department and European Parliament. The backdoor allowed for remote access to the internal network of SolarWinds Orion users.
The malicious change was shipped with versions of SolarWinds Orion 2019.4 – 2020.2.1 released between March and June 2020. First traces of backdoor use dated in spring 2020.

During the analysis of the incident, a disregard for the security of large suppliers of corporate systems emerged. It is assumed that the SolarWinds infrastructure was accessed through a Microsoft Office 365 account. Attackers gained access to the SAML certificate used to generate digital signatures and used this certificate to generate new tokens allowing privileged access to the internal network.

Previously back in November 2019 by third-party security researchers it was noted

/Release. View in full here.