SAN FRANCISCO (Reuters) – Microsoft Corp’s failure to fix known issues with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies, according to security experts and U.S. Senator Ron’s office Wyden.
A vulnerability first revealed publicly by researchers in 2017 allows hackers to impersonate authorized employees to gain access to customers’ cloud services. The technique was one of many used in the SolarWinds hack.
Wyden, who criticized technology companies for security and privacy issues as a member of the Senate Intelligence Committee, criticized Microsoft for not doing more to prevent fake identities or to warn customers about it.
“The federal government spends billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing on Friday in the House of Representatives.
“Care should be taken when spending more before finding out why the company did not warn the government about the hacking technique that the Russians used, which Microsoft has known since at least 2017,” he said.
Microsoft President Brad Smith will testify on Friday before the House committee investigating SolarWinds hacks.
American officials blamed Russia for the massive intelligence operation that penetrated SolarWinds, which makes software to manage networks, as well as Microsoft and others, to steal data from various governments and about 100 companies. Russia denies responsibility.
Microsoft contested Wyden’s conclusions, telling Reuters that the design of its identity services was not to blame.
In response to Wyden’s written questions on February 10, a Microsoft lobbyist said the identity trick, known as Golden SAML, “was never used in a real attack” and “was not prioritized by the intelligence community as a risk, nor was it signaled by civilian agencies. ”
But in a public statement following the SolarWinds hack on December 17, the National Security Agency asked for closer monitoring of identity services, noting: “This SAML counterfeiting technique has been known and used by cyber attackers since at least 2017 . ”
In response to additional questions from Wyden this week, Microsoft acknowledged that its programs were not configured to detect theft of identity tools to grant access to the cloud.
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said the flaw showed that cloud security risks should be a higher priority.
The hackers’ sophisticated identity abuse “exposes a worrying weakness in how cloud computing giants invest in security, perhaps not adequately mitigating high-impact risk and low-probability failures in systems at the root of their security model,” he said. Herr.
In a testimony in Congress on Tuesday, Microsoft’s Smith said that only about 15% of victims in the Solar Winds campaign were injured via Golden SAML. Even in these cases, hackers should have already gained access to the systems before implementing the method.
But Wyden’s team said one of those victims was the US Treasury, which lost emails from dozens of employees.
Reporting by Joseph Menn; edited by Jonathan Weber and Howard Goller