The Hack Roundup: Adversary Accessed Microsoft Source Code

Microsoft urged defenders to activate the most restrictive access settings possible while revealing that perpetrators of the massive cyber intrusion affecting public and private-sector entities have seen their internal code in a form that is decipherable by humans.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the company wrote in a blog post Thursday. 

The company reiterated that malicious binaries from an update distributed by ubiquitous IT management company SolarWinds had been isolated and removed and that there was no indication Microsoft systems had been used to penetrate others. The latest blog post on the company’s ongoing investigation, however, “revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment.”

Source code uses generally understood alphanumeric characters to describe software functions that are later converted into the inscrutable ones and zeros that machines process. Experts raised concerns the hackers now have material that could more easily enable future attacks, but Microsoft downplayed the implications of the breach.

“The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made,” Microsoft said. “These accounts were investigated and remediated.” 

The blog post added that Microsoft’s source code is open source, meaning they don’t count on its secrecy for security but rather assume malicious actors already have knowledge of it. “Viewing source code isn’t tied to elevation of risk,” the company said.

The company stressed the value of security best practices and particularly urged organizations to implement privileged access workstations, the highest security configuration that includes controls and policies to “restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks.”

Organizations can expect more guidance from the Cybersecurity and Infrastructure Security Agency on remediating fallout from the multifaceted hacking campaign which extends beyond SolarWinds and also appears to have affected Microsoft resellers to target Office 365 customers. 

On Wednesday, CISA updated a supplement to its emergency directive instructing federal agencies to disconnect or power down certain “affected versions” of the company’s software on their systems and to await further guidance before installing patches.

“All federal agencies operating versions of the SolarWinds Orion platform other than those identified as ‘affected versions’...are required to use at least SolarWinds Orion Platform version 2020.2.1HF2,” CISA said. “The National Security Agency has examined this version and verified that it eliminates the previously identified malicious code.”

Version 2020.2.1 HF2 will address both the SUNBURST malware, which has been associated with a sophisticated nation-state actor, and what appears to be a copycat SUPERNOVA malware, according to updated guidance SolarWinds released Dec.28.

In 2021, “All instances that remain connected to federal networks must be updated to 2020.2.1 HF2,” the agency said, noting “CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements.”