Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Microsoft Says SolarWinds Hackers Downloaded Some Azure, Exchange, and Intune Source Code (zdnet.com) 36

Microsoft's security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers. From a report: The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally. In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft's internal network, where they accessed the source code of several internal projects. "Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts," the company said today, in its final report into the SolarWinds-related breach.
This discussion has been archived. No new comments can be posted.

Microsoft Says SolarWinds Hackers Downloaded Some Azure, Exchange, and Intune Source Code

Comments Filter:
  • Orion is their main product and it should never be used again, period. Who knows what inherent flaws it has that the hackers discovered and set aside for a rainy day? In short it's completely compromised and if I was a company using it, I would have uninstalled it from everything and cancelled the support contract months ago. Since everyone should be doing the same, that should kill SolarWinds' main revenue stream and hence the business as a whole.

    Yet here we are and everything appears to be just fine. Does

    • by Freischutz ( 4776131 ) on Friday February 19, 2021 @06:44AM (#61079244)

      Orion is their main product and it should never be used again, period. Who knows what inherent flaws it has that the hackers discovered and set aside for a rainy day? In short it's completely compromised and if I was a company using it, I would have uninstalled it from everything and cancelled the support contract months ago. Since everyone should be doing the same, that should kill SolarWinds' main revenue stream and hence the business as a whole.

      Yet here we are and everything appears to be just fine. Does that mean that (horror) companies are still using Orion? Does it mean that Microsoft (mind-numbing horror!) is still using Orion?

      The security risk that Orion presented is pretty much universally applicable to every ant-malware company out there. How many computers could you gain control of world wide if you hacked the update distribution servers of Symantec, McAfee, ESET, Bitdefender, Avast, ... , etc ?? Billions I expect. People expressed skepticism over claims that Kaspersky's systems were being used by Russian Intelligence, literally as a search engine, to scour the computers of Kaspersky customers for data. After this hack that sort of scheme no longer sounds like so far fetched. All these anti-malware suites require full disk access to function, none of what they do on your computer is transparent to you, the user, and they all have a direct connection to a third party server. People download this software and give it access to every scrap of data they own without thinking about it and pay for the privilege. That kind of access to billions of computers has to be every hacker's wet dream.

      • Maybe even less vulnerable than anti-malware software. I have only lightly used other people's installs of Orion, so I don't know to what extent it is capable of can be use for pushing configurations, but you would think that as a monitoring solution it might be possible to limit an Orion install to just "read only" status monitoring of all the devices it can connect to.

        I'd imagine where it really hurts, though, is to the extent that Orion is probably exposed to presumed-secure management networks with oth

      • by mToddh ( 7749386 )
        Goodbye SolarWinds
      • by sjames ( 1099 )

        Obligatory car analogy. No matter who drives, there exists the risk of distracted driving leading to crashing into a tree, fire hydrant, etc. You have a choice of two drivers. One of them has never had an accident of note, the other recently plowed through an elementary school after spilling his coffee in his lap while driving. Which one do you pick?

        You want to store some important papers with a lot of value attached. Do you trust the storage place offering you a steel box with two keys inside a vault with

        • by uncqual ( 836337 )

          Without more information, I can't say which driver I would pick. But if both were experienced drivers and both seemed, upon interviewing them and testing their driving skills and looking at the rest of their background, to be indistinguishable except for the coffee spilling incident, I would probably pick the driver the had the coffee spilling incident.

          This is because the driver that had the horrible accident is now very viscerally aware of the dangers of drinking coffee while driving. The other driver like

    • Another logic would suggest that their code has a higher chance of being secure now, due to people combing it for security holes with a fine-toothed comb and fixing them, as opposed to others who may not even be aware of their security holes. At least in open-sourcr projects, that is usually the case.

      Of course the counter-argument is, that that implies they actually will do or already did that. Which is likely, with everyone who can't quickly switch to something else screaming for patches. But then, that im

      • Nevermind the typos. Caffeine hasn't reached the prefrontal cortex yet. :)

      • by rtb61 ( 674572 )

        An analysis of M$ history indicates they routinely lie to maximise profits and minimise losses, shamelessly routinely lie. Any corporation dealing with them have to assume this announcement is a lie and demand a public audit into their systems, by filing a civil suit to access and confirm actual security risks, rather than PR=B$ lies pouring out of M$. The only way for any corporation relying on M$ for security is to sue to find out what really happened and what the risks really are going forward. M$ execut

  • by Slayer ( 6656 ) on Friday February 19, 2021 @06:24AM (#61079210)

    Microsoft claims, that the code seen by the attackers contained no hard coded or otherwise implied security credentials, and they almost make it sound like "nothing to see here, please move along". That sigh of relief may be a bit premature, though.

    The attackers seemed to have focused their attention on security and identity components, which are exactly the parts likely containing the most critical as of yet unknown vulnerabilities, and those with the highest impact.

    We'll probably see, how many urgent security fixes these products will receive over the next few months ...

    • Well, all the code I run is certain to have its sources downloaded by hackers, including any unknown vulnerabilities. I guess I'm fucked :p

      • by Bert64 ( 520050 )

        Closed source = only blackhats have access to the code, giving them an advantage
        Open source = whitehats have access to the code too so everyone is on a level field

        • by BAReFO0t ( 6240524 ) on Friday February 19, 2021 @08:39AM (#61079368)

          Both cases = Everybody assumes somebody else does the cumbersome work of combing all the code for security holes. Especially the hard to understand crucial core parts that nobody wants to touch. ;)

          Open source is undoubtedly better. But don't make the assumption that just because it can be done, it actually is done. (Or that unless you are an auditor, you could judge the competence of an auditor.)

          • by Slayer ( 6656 )

            If you look at the long term track record of most established open source projects, even moderately critical bugs are fixed much, much more quickly than even super-critical bugs in most parts of the closed source world. Also, the fixed to open source products are universally available, whereas patches to closed source software are frequently offered in tranches based on priority level.

            Note, how I used the phrase "over the next few months" instead of "today" in my original message.

            • by deKernel ( 65640 )

              I believe (with no statistical information other that ad-hoc experiences) you are correct that typically the open source products get patched sooner, but that still doesn't fix the issue of the vulnerability being there initially which is the crux of the whole issue.

    • Microsoft claims, that the code seen by the attackers contained no hard coded or otherwise implied security credentials, and they almost make it sound like "nothing to see here, please move along". That sigh of relief may be a bit premature, though.

      The attackers seemed to have focused their attention on security and identity components, which are exactly the parts likely containing the most critical as of yet unknown vulnerabilities, and those with the highest impact.

      We'll probably see, how many urgent security fixes these products will receive over the next few months ...

      It's a good thing it is in the cloud, which keeps your data invulnerable.

  • by Impy the Impiuos Imp ( 442658 ) on Friday February 19, 2021 @06:53AM (#61079252) Journal

    and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers

    Well, if, thanks to this, "pivot" becomes associated with criminal activity, maybe it can finally be removed from business "bullshit bingo" cards.

  • Perhaps they were ethical hackers who were empathetic to the misery inherent in Exchange Sysadmins and intent on fixing the problem?

    Oh wait.. They already have. [zimbra.com]
  • Don't go online.

    • *laughs in Stuxnet*

      Or the 90s hacker teen variant: USB stick into the PC at the doctor's office while waiting for the doc, waiting a few seconds for autorun to launch your malware, pull it out, go home and enjoy your new botnet! ;)
      (OK the latter still requires Internet access for the command & control channel, but not for the infecting. And also only an outgoing connection, so firewalls won't help.)

      Another version was dropping a USB drive (or floppy, back in the days) into somebody's mailbox, decorated

  • Suuuurre.

  • Poor hackers. The things they've seen that man was not meant to know.

  • Now everybody who ever leaked something or had bad security is gonna come out and claim it was "dem SolarWinds hackers! Totally not our bad security." to please the war drummers that grant contracts. :D

  • Will probably tremendously improve the hackers' skills. About 3 years ago I got a close look at the Azure Storage code and it was very well-written. Clever, but not in Scalzi's Law ways. Every return value was checked . Every method call wrapped (where appropriate) in try/catches. Very well commented. Clearly written to be read by people who weren't the original developers.

  • by organgtool ( 966989 ) on Friday February 19, 2021 @11:16AM (#61079796)
    Does this mean we could one day see a fork that provides useful feedback about why an Azure AD group policy failed on a device? After being forced to use Microsoft products after 15 years of avoiding them at all costs, it amazes me that the error messages in all of their products are still completely worthless. I used to blame this on the developers but I recently noticed an error message that suggested contacting support. That got me to realize that these vague error messages could be a way to force enterprise users to contact Microsoft support and endure all of the fees that go along with it. Either way, their products contain a lot more lipstick but it's still on a filthy, disgusting, diseased pig.
  • few days ago, we had this exaggerated declaration from MS president "SolarWinds Hack Was 'Largest and Most Sophisticated Attack' Ever" relayed on /. The reason why is now clear: they got badly pwned. It does look less bad to be defeated by gurus than noobs BUT ... Putting this 2 declarations together we get that the source code of their core business is in the hand of very capable hackers, but nothing to worry about ! I wish them good luck to convince anyone.
  • by theendlessnow ( 516149 ) * on Friday February 19, 2021 @12:40PM (#61080116)
    Microsoft touts the idea that their systems are much safer than open source software because you can't see their code.

    So much so, that most critical vulnerabilities can be safely deferred and worked on as needed, because, you didn't know.

    Out of sight, out of mind.

    Microsoft is "taking care of you". The idea is that they can fix critical problems (and believe me, the list is larger than you can imagine) at their leisure, because.... people don't know about them.

    Here's the problem... now we can know. Or maybe worse, the only people that "now know" aren't the greatest examples of humanity out there.
  • ... they also got access to Dovecot, Xen, and Kubernetes source.

    See, the Free World is in just as much danger as those behind Microsoft's Iron Curtain.

  • by awwshit ( 6214476 ) on Friday February 19, 2021 @05:03PM (#61081104)

    The hax0rs got the poo on them. Now the poo will be exposed for all to see, one dingelberry at a time.

  • Why doesnt Microsoft use github for everything ?
  • And what about the usual security systems? I mean, what brands do you guys use? I am going to install a new home security system. I would like to have a professional system. I am considering several variants. Most of all I like Ajax https://ajax.systems// [ajax.systems]. That company seems to be the most progressive one. I have studies all their products and opportunities it offers. I think it will be a good idea to spend money on such a modern and functional system. But I would like to ask for some other recommendations

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...