Microsoft adopted ‘aggressive’ strategy for sharing SolarWinds Attack intel

In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat. That role has evolved as attacks grow more complex – and it presents a tricky challenge when a provider must keep businesses informed of an attack that has infiltrated its own walls and affected tens of thousands of its customers, as Microsoft experienced during the recent SolarWinds incident.

“A lot of the way it [the role] has changed is in the face of ever-increasing complexity and impact,” says Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance.

Microsoft faced this precise challenge a few months ago, following the major supply chain attack that initially targeted SolarWinds and distributed a backdoor Trojan to some 18,000 organizations via infected software updates. Microsoft was one of thousands affected by the tainted updates; using their access, the attackers were able to view some of its source code.

The company took steps to remediate the internal accounts that were used to view source code “in a number of code repositories.” While security experts pointed out that this access could make some steps easier for attackers, Microsoft maintained that there was no increase in risk. The company has since reported there is no evidence that attackers gained extensive access to services or user data.

Many across the industry refer to this incident as “the SolarWinds attack”; however, it’s worth noting many victims didn’t use SolarWinds at all. The same nation-state behind the malicious SolarWinds Orion updates infiltrated other organizations through their Microsoft 365 and Azure accounts. Malwarebytes also was a victim of this attack vector; Microsoft had alerted the security company to suspicious activity.

“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” officials said in a blog post on the attack.

It’s one of many attacks to take advantage of Microsoft applications: criminals have begun to target Microsoft 365 accounts as quickly as businesses adopt the platform. And as security pros point out, many of tactics could be avoided by simply turning on features built into Office 365 Enterprise plans – the problem is, attackers seem to know the suite better than defenders do. Some are abusing features that IT admins don’t know exist.

As Microsoft investigated the extent of this attack on its own internal systems, researchers had the added responsibility of sharing intelligence that could be helpful to other organizations who may have also been infected. This took the form of more than a dozen blog posts in which internal Microsoft analysts published information about the SolarWinds attack as they learned it.

To read the complete article, visit Dark Reading.