Nonetheless, cyber espionage continued to abuse the code during the second phase of the campaign, rushing through and damaging high-value target emails and other files, such as then-Department of Homeland Security chief Chad Wolf. It was Microsoft that flew undetected between his networks.
This has attracted the attention of the world’s third most valuable companies. The product is a de facto single culture of government and industry, with a market share of over 85%, so federal lawmakers say Microsoft should provide security in the first place without letting taxpayers escape. Insists on a quick upgrade to what you have.
Last week, Microsoft offered all federal agencies a year of “advanced” security features at no extra charge to alleviate concerns, but accused them of being a customer who doesn’t always prioritize security. We also aim to distract.
The risk of Microsoft’s foreign trade was also mitigated when the Biden administration imposed sanctions on half a dozen Russian IT companies that said it supported the Kremlin hack on Thursday. The most prominent was Positive Technologies. It is one of more than 80 companies that provided Microsoft with early access to data on vulnerabilities detected in its products. After announcing the sanctions, Microsoft said Positive Tech was no longer part of the program and removed its name from the website’s list of participants.
SolarWinds hackers are taking advantage of what George Kurtz, CEO of cybersecurity leader CrowdStrike, has called “systematic weaknesses” in key elements of Microsoft code, at least nine U.S.A. Mined government agencies (such as the Department of Justice and the Ministry of Finance). Over 100 private sector companies and think tanks, including software and telecommunications providers.
Independent Atlantic Council think tanks report that SolarWinds hackers exploiting Microsoft’s identity and access architecture (verifying users’ identities and granting access to email, documents, and other data) caused the most dramatic damage. It is stated in the book. This made hacking stand out as an “extensive intelligence coup.” In almost all cases of post-intrusion pranks, intruders quietly moved Microsoft products that “vacuate emails and files from dozens of organizations.”
Intruders can jump between organizations or move laterally, thanks in part to Carte Blanche, who granted the victim’s network to infected Solarwinds network management software in the form of administrator privileges. They used it to sneak into the cybersecurity company Malwarebytes and target customers of email security company Mimecast.
The “feature” of the campaign was to allow an intruder to impersonate a legitimate user and create counterfeit credentials to retrieve data stored remotely by Microsoft Office. “It’s all because it broke the system that manages trust and identity on the network,” he said.
Microsoft President Brad Smith said at a parliamentary hearing in February that only 15% of victims were compromised by a certification vulnerability that was first identified in 2017. This allows an intruder to impersonate an authorized user by forging the equivalent of a forged passport.
Microsoft officials have emphasized that the SolarWinds update was not always the entry point. Intruders could exploit vulnerabilities such as weak passwords and the lack of multi-factor authentication for victims. But critics say the company overlooked security. Democratic Senator Ron Weiden said Microsoft did not provide federal agencies with at least the level of “event logs” that would have provided respondents with any record if they did not detect an ongoing SolarWinds hack. Orally blamed. What were the intruders, what they saw and removed.
“Microsoft chooses default settings for the software it sells. We’ve known for years about the hacking techniques used against US government agencies, but the information we need to identify ongoing hacks. I didn’t set the default log settings to get the, “says Weiden. He wasn’t the only one to complain.
When Microsoft announced the year of free security logging for federal agencies on Wednesday, it usually charges a premium, Weiden wasn’t soothed.
“This move is far less than what is needed to make up for Microsoft’s recent failure,” he said in a statement. Cyber security sinkhole. “
Rep. Jim Langebin (DR.I.) pressured Smith on security log upsells in February, comparing it to creating car seatbelt and airbag options that should be standard. He gave Microsoft a year’s grace, but said long-term conversations would be “not the center of profit.” “This buys us a year,” he said.
However, even the highest levels of logging do not prevent intrusion. It only makes it easier to detect them.
Also, many security experts should remember that Microsoft itself was compromised by a SolarWinds intruder and gained access to the crown gems that are part of its source code. A complete suite of Microsoft security products, and some of the industry’s most skilled cyber defense experts, failed to detect ghosts in the network. FireEye, the first cybersecurity company to detect a hacking campaign in mid-December, warned of its own breach.
An intruder (due to a Chinese spy) into an unrelated hack of a Microsoft Exchange email server released in March used a completely different method of infection. However, it immediately gained a high level of access to the user’s email and other information.
Microsoft’s investment in security is widely recognized throughout the industry. Often, the first thing to do is identify the major cybersecurity threats. The visibility to the network is very good. However, many argue that as the chief supplier of security solutions for their products, they need to pay more attention to how much they should benefit from defense.
“At the heart of it is that Microsoft sells you illnesses and cures,” said a cybersecurity veteran who has built a career in finding vulnerabilities in Microsoft products and has a new startup in a job called BinMave. One Mark Maifre said. Microsoft’s $ 150 million payment for a “secure cloud platform” is an overview to spend $ 650 million allocated to cybersecurity and infrastructure security agencies in last month’s $ 1.9 trillion pandemic remedy. It was included in the draft.
A Microsoft spokesperson asked a cybersecurity agency a question and didn’t say how much money he could get. Agency spokesman Scott McConnell didn’t say so either. Langebin said he didn’t think the final decision was made.
During the budget year ending September, the federal government spent more than $ 500 million on Microsoft software and services.
Many security experts value user convenience over security Microsoft’s single sign-on model modifies state-sponsored hackers to reflect the routinely raging world on the U.S. network I believe it’s ripe.
Alex Weinert, director of identity security at Microsoft, said it offers a variety of ways to strictly limit users’ access to what customers need to do their jobs. However, it can be difficult for a customer to succeed, as it often means abandoning 30 years of IT habits and disrupting the business. He said customers tend to configure too many accounts with a wide range of global administrative privileges that allowed them to abuse the SolarWinds campaign. “It’s not the only way they can do it, it’s for sure.”
From 2014 to 2015, loose restrictions on access allowed Chinese spies to steal more than 21 million current and future federal personnel’s sensitive personal data from the Human Resources Department.
Curtis Dukes was the Information Assurance Officer of the National Security Agency at the time.
OPM is currently managing a non-profit Internet security center, using Microsoft’s authentication architecture to share data across multiple institutions and grant access to more users than safely needed. Director Dukes said.
“People took their eyes off the ball.”
Microsoft is getting a lot of attention with SolarWinds hacking campaigns
Source link Microsoft is getting a lot of attention with SolarWinds hacking campaigns