The threat actors behind the SolarWinds attack could have compromised a small number of internal accounts and used at least one of them to view source code in a number of source code repositories.
Shortly after the disclosure of the SolarWinds attack, Microsoft confirmed that it was one of the companies breached in the recent supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.
Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment.
A Microsoft internal Solorigate investigation update published today revealed that the company has found no evidence that the attack has impacted the production services or customer data.
Microsoft also added that forged SAML tokens were not used to compromise its corporate domains.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.” reads the post published by Microsoft.”The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
The IT giant pointed out that the account compromised by the threat actors did not have the permissions to modify any source code or engineering systems.
Microsoft plans to provide additional updates if and when its experts will discover new information to support the community.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” concludes Microsoft.
“As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, SolarWinds)