Microsoft failed to beef up defenses that could have limited SolarWinds hack: US Senator



[ad_1]

SAN FRANCISCO (Reuters) – Microsoft Corp’s inability to resolve known issues with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and the office of U.S. Senator Ron Wyden.

A vulnerability that was first revealed publicly by researchers in 2017 allows hackers to fake the identities of authorized employees to access customer cloud services. The technique was one of many used in the SolarWinds hack.

Wyden, who blamed tech companies for security and privacy concerns as a member of the Senate Intelligence Committee, criticized Microsoft for not doing more to prevent fake identities or alert customers to them.

“The federal government is spending billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing Friday in the House of Representatives.

“It should be safe to stop spending before finding out why the company has not notified the government of the Russian hacking technique, which Microsoft has known about since at least 2017,” he said. .

Microsoft President Brad Smith will testify before the House committee investigating the SolarWinds hacks on Friday.

U.S. officials blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from multiple governments and around 100 companies. Russia denies any responsibility.

Microsoft disputed Wyden’s findings, telling Reuters that the design of its identity services was not at fault.

In response to Wyden’s written questions on February 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “had never been used in an actual attack” and “had not been seen as a risk by the intelligence community, nor was it reported by civilian agencies.

But in a public notice after the SolarWinds hack on December 17, the National Security Agency called for closer monitoring of identity services, noting: “This SAML tampering technique has been known and used by cyber actors since. at least 2017. “

In response to additional questions from Wyden this week, Microsoft admitted that its programs were not configured to detect theft of identity tools for granting cloud access.

Trey Herr, director of the Cyber ​​Statecraft Initiative at the Atlantic Council, said the failure showed security risks in the cloud should be a higher priority.

Sophisticated identity abuse by hackers “exposes a worrying weakness in the way cloud computing giants invest in security, perhaps failing to adequately mitigate the risk of high-impact, low-probability outages in cloud systems. the root of their security model, ”Herr said.

In testimony to Congress Tuesday, Microsoft’s Smith said only about 15% of victims of the Solar Winds campaign were injured through Golden SAML. Even in these cases, hackers must already have access to the systems before deploying the method.

But Wyden staff said one of those victims was the US Treasury, which lost emails from dozens of officials.

Reporting by Joseph Menn; edited by Jonathan Weber and Howard Goller

[ad_2]

Source link