SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in his Office 365 environment, compromised by a company email account and used to access the accounts of targeted SolarWinds staff in business and technical roles.
Ramakrishna said hackers most likely infiltrated the environment of SolarWinds through compromised credentials and/or a third-party program that capitalized on a zero-day vulnerability.
Beleaguered Austin, Texas-based IT infrastructure manager, said the SolarWinds email account was compromised and used to programmatically access targeted SolarWinds personnel accounts in business and technical roles.
By compromising the credentials of employees of SolarWinds, Ramakrishna said that hackers have been able to access and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft of a compromise concerning its Office 365 environment on Dec. 13, the same day news of the hack was made public.
SolarWinds’ investigation has not identified a specific vulnerability in Office 365 that would have allowed hackers to enter the company’s environment through Office 365, he said Wednesday. A day earlier, Ramakrishna told The Wall Street Journal that one of the few theories the company was pursuing is that the hackers used the compromised Office 365 account as the initial point of entry into SolarWinds.
Ramakrishna said that SolarWinds analyzed data from multiple systems and logs, including our Office 365 and Azure tenants, as part of its investigation. The SolarWinds hack is believed to be the work of Russia’s foreign intelligence service.
Some 30% of the private sector and government victims of the massive hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cyber Security and Infrastructure Security Agency, said Friday in The Wall Street Journal. But he said investigators have not identified another company whose products have been largely compromised to infect other firms as SolarWinds has been.
In its Thursday blog, the Microsoft team says that the compromise techniques used by SolarWinds hackers included “password spraying, spear-phishing and use of web shell through a web server and delegated credentials.”
Earlier this week, CISA Director Brandon Wales told The Wall Street Journal that SolarWinds cyberespionage had access to targets using a multitude of methods, including password spraying and exploiting vulnerabilities in cloud software.
“As part of the investigative team working with FireEye, we were able to analyze the attacker’s behaviour with a forensic investigation and identify unusual technical indicators that would not be associated with normal user interactions. We then used our telemetry to search for those indicators and identify organizations where credentials had likely been compromised by the [SolarWinds hackers],” Microsoft’s security team says.
But Microsoft says there is no evidence that the SolarWinds hackers used Office 365 as an attack vector.
“We have investigated thoroughly and have found no evidence they [SolarWinds] were attacked via Office 365,” the Microsoft researchers say. “The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation.”
SolarWinds’ Ramakrishna and Alex Stamos, former Facebook CSO and now a partner of Krebs Stamos Group hosted two webinars on Thursday to share how SolarWinds works to ensure that the company is better prepared to defend itself against other cyber attacks.
Ramakrishna and Alex Stamos have made a series of recommendations on how SolarWinds and other companies can help protect themselves against sophisticated attacks by SVR and others. For example, they recommended the implementation of pen testing, multifactor authentication, DevSecOps practices and identity management system audits, as well as the focus on accountability for all codes.
Ramakrishna says SolarWinds will soon make its full recommendations public.
While we learned of SolarWind’s attack on December 13th, the first disclosure of its consequences was made on December 8th, when FireEye, a leading cybersecurity firm, revealed that it had been hacked by a nation-state APT group.
In their supply chain attack, hackers added a backdoor dubbed “Sunburst” to SolarWinds’ Orion network monitoring software as early as September 2019, according to the company’s analysis.