Microsoft: Solorigate attackers grabbed Azure, Intune, Exchange component source code

Microsoft has completed its internal investigation about the Solorigate (SolarWinds) security incident, and has discovered that the attackers were very interested in the code of various Microsoft solutions. The attackers viewed some files here and there, but they also managed to download source code from a “small number of repositories,” and this includes the code for some important Microsoft Azure components.

What the attackers did and did not do

Microsoft made sure to point out that they have found no evidence of the attackers accessing production services or customer data, or of them having managed to use systems at Microsoft to mount attacks against other targets, gain access to privileged credentials or leverage the SAML techniques against the company’s corporate domains.

On the other hand, the attackers managed to view files from a variety of Microsoft source code repositories, and to download source code of a small subset of Azure components (subsets of service, security, identity), as well as Intune and Exchange components.

It’s likely that they might want to use information gleaned from these files to discover potential vulnerabilities and to better craft future attack methods, exploits, or avenues.

“The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials,” the MSRC team explained.

Raising defenses

The company says the reason why the scope and impact of this incident was limited is due to them opting for a zero trust mindset, layered security, and protecting credentials.

Vasu Jakkal, CVP of Security, Compliance and Identity at Microsoft, laid out tips and links to help other organization do the same.

“We know that we all have an important role to play in strengthening and empowering the defender community at large. It was great to see this sharing in action in December when FireEye first alerted the community of a ‘global intrusion campaign,'” she noted.

“We encourage every company, of every size, to work with the community to share information, strengthen defenses and respond to attacks.”

UPDATE (February 24, 2021, 02:30 a.m. PT):

SonicWall has released new firmware versions for both 10.x and 9.x code on the SMA 100 series products.

The new SMA 10.2 firmware includes code-hardening fixes identified during an internal code audit, rollup of customer issue fixes not included in the Feb. 3 patch, general performance enhancements, and previous SMA 100 series zero-day fixes posted on Feb.

The new 9.0 firmware includes code-hardening fixes identified during an internal code audit.

“All organizations using SMA 100 series products with 10.x or 9.x firmware should apply the respective patches IMMEDIATELY,” the company advised.