Microsoft Hacked (By Russia this time), Part Infinity

“Hello, Comrades.”

Reuters

“Microsoft Corp said on Thursday it found malicious software in its systems related to a massive hacking campaign disclosed by U.S. officials this week, adding a top technology target to a growing list of attacked government agencies.

“Microsoft also had its own products leveraged to attack victims, said people familiar with the matter. The U.S. National Security Agency issued a rare ‘cybersecurity advisory’ Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems.”

ZDNet:

The state-sponsored hackers who breached US software provider SolarWinds earlier this year pivoted to Microsoft’s internal network, and then used Microsoft’s own products to further the attacks against other companies, Reuters reported today citing sources familiar with the investigation.

We should note that Cadet Bone Spurs forced MS Azure for the Pentagon, possibly illegally by-passing Amazon’s Web Services because: vengeance on the WaPo, owned by Bezos. Or maybe because the home office in Moscow wanted it. Who can say?

Oh, I guess I can:

This entry was posted in Amazon, Bad Tech, Microsoft, Pooty-Poot Putin, Technology. Bookmark the permalink.

7 Responses to Microsoft Hacked (By Russia this time), Part Infinity

  1. sos says:

    Spyitude! Moscow will steal all that delicious MS buggy release code and we’ll have Putin right where we want him!

    Liked by 1 person

  2. This just keeps getting worse and worse.

    The ““Microsoft also had its own products leveraged to attack victims, said people familiar with the matter.” bit, though is a little overblown. The bad guys broke in, got the rights to use absolutely normal administrative functions of MS Exchange to steal emails.

    Gory details from US-CERT here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

    The REALLY scary bit to me right now is that in at least one case another Computer security firm found one of their clients email being accessed even though they had 2-factor authentication via Duo set up. They managed to get the authentication key to present to the system saying ‘This person has already been authenticated, no need to do it again’

    https://www.schneier.com/blog/archives/2020/12/how-the-solarwinds-hackers-bypassed-duo-multi-factor-authentication.html

    Again this wasn’t a “hack” of Microsoft’s software so much as a completely normal thing any person with top-level admin privs on the system would have during the normal course of business.

    And this information is even worse because this is a hack Volexity was tracking in late 2019

    All this from a company Solarwinds who had re-branded themselevs as a network security company that didn’t even have a chief information security officer, (they have a job opening posted NOW for a ‘VP of Security’ ) no way to report vulnerabilities, and in at least once case, had a password for their update distribution systems viewable on a public website. It was ‘solarwinds123’ https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

    There really should be criminal liability for this company and it’s officers.

    hard “Life in Leavenworth” kind of liability…

    Liked by 2 people

    • Ten Bears says:

      That may be reassuring to the non-techies, but having had top-level admin privs on several M$ back-office systems that’s not reassuring me. Never tried editing someone elses’ e-mail, or create new, but I bet I could. Word 97

      Like

  3. Buttermilk Sky says:

    “Dillinger and I discussed ways to make banks more secure.”
    Thirty-three more days.

    Liked by 3 people

  4. Wikipedia’s entry on SolarWinds is informative: https://en.wikipedia.org/wiki/SolarWinds
    Between 2011 and 2020 they bought like 20 different companies and stuffed them into their ‘product line’. (also at one point they were owned by Bain Capital…)

    There is NO WAY IN HELL that many different systems, programming teams could possibly be integrated into a coherent single company with a rigorous culture of security. (instead of ‘getting it out the door for the 4th quarter juking of the stats’ ) but they were wrapped in a very impressive layer of marketing.

    My department just underwent a HIPAA security audit; it was a sobering and grueling experience and now we have a giant stack of action items to respond to. We’re a close knit 3-person department serving about1200 students, staff and faculty with decades of experience between us, the auditor told us we did a hell of a lot better than most of the rest of campus, and we still have places where we were not fully aware of vulnerabilities.

    There were more than one ‘Oh holy shit!’ moments during our audit and all we do is pretty much email, file servers and a handful of webservers.

    Computer security, especially on an enterprise-scale is really really hard It’s Rocket surgery hard. and when faced with attackers like this who are really fucking good and backed with the resources of a nation-state, it gets upped a couple orders of magnitude to Rocket surgery while the rocket is blasting off hard.

    I repeat from my previous post: Solarwinds did NOT HAVE, AND STILL DOES NOT HAVE A Chief Information Security Officer, someone who could override the VP of Sales when they promised shit that couldn’t work.

    My university has an entire campus-wide hierarchy of people with delegated ISO responsibilities, all feeding back onto a robustly staffed ISO office answering to the CISO who reports to the President.

    The Solarwinds hack is the catastrophic failure model of end stage capitalism writ large. It’s exactly like the Boeing 737Max catastrophic failure, where marketing and profit took precedence over engineering and safety. Pretty much OUR ENTIRE GOVERNMENT has been compromised, by a hostile adversary, for AN UNKNOWN LENGTH OF TIME.

    I am SO glad I’m not one of the people in charge of that security stuff right now…

    Like

    • tengrain says:

      BDR –

      One of the things that became clear to me at IBM (Motto: “where software goes to die”) was that when they bought a small company, what they really wanted was to buy the customers, and offer them an upgrade to whatever IBM had that was current. But if the customer said no, IBM kept the legacy product alive (barely). Cobal lives at IBM.

      Nothing was ever really integrated into the stack, it just sat out there on life support.

      Solarwinds sounds like they have the same strategy. Disaster ensues.

      Rgds,

      TG

      Like

      • Actually I think Solarwinds was worse than IBM’s ’embrace and extinguish’ mode…they did not have any product like the companies they bought…they bought the companies to build their product.

        Which is how you get “computer” “network” “security” software suites that look like:

        Like

Comments are closed.