Microsoft has confirmed that it was one of the companies breached in the recent SolarWinds supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.
Last week, Russia-linked hackers breached SolarWinds, the attackers had used a trojanized SolarWinds Orion business software updates to distribute the backdoor tracked as SUNBURST (aka Solarigate (Microsoft)).
The company notified roughly 33,000 Orion customers of the incident, but it argued that less than 18,000” customers may have used the backboard version of its products.
According to a report published by Reuters agency citing anonymous sources familiar with the investigation, Microsoft also compromised in the SolarWinds supply–chain attack and the hackers were able to compromise its software to distribute malware to its clients.
“As with networking management software by SolarWinds, Microsoft’s own products were then used to further the attacks on others, the people said.” reported the Reuters agency.
“It was not immediately clear how many Microsoft users were affected by the tainted products.”
Basically, the report states that Microsoft itself was the victim of a supply chain attack, a circumstance that the company denied.
Microsoft issued the following statement in response to the reports published by the media.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment, but excluded that that the company’ clients were impacted.
The Cybersecurity and Infrastructure Security Agency (CISA) published an alert to warn of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. According to CISA, the attack was carried out by an APT group that demonstrated patience, operational security, and complex tradecraft in these intrusions.
CISA experts pointed out that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated.” reads the alert.
Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was employed in the recent SolarWinds hack.
(SecurityAffairs – hacking, SolarWinds)