- Following discovery of malicious SolarWinds applications in its systems, Microsoft found evidence malicious actors viewed some internal source code in its repositories, Microsoft said last week. The company found no changes to the code were made.
- The SolarWinds compromise, realized three weeks ago, has organizations rushing to discover the full extent of the damage. At least 250 organizations are impacted, including government agencies and businesses, according to a New York Times report.
- Scrutiny is centered around supply chain impacts. Cybersecurity firm CrowdStrike found evidence of compromises through Microsoft resellers, according to a December blog post. A Microsoft reseller's Azure account, which manages CrowdStrikes Microsoft Office licenses, made abnormal cloud API calls in a failed attempt to read email.
SolarWinds' technology served as an access point to a vast network, revealing systemic security vulnerabilities. With Microsoft working through the fallout, industry attention is turning toward who else was targeted and what the malicious actors, suspected Russian hackers, were after.
"What this reveals is just how insecure our supply chains really are and overlooked," said Graham Holmes, CSO of PacketFabric.
"The attack on Microsoft's resellers and others is no different than the exploit that happened with Home Depot and leveraging flaws in the security of an HVAC provider, who serviced some of these systems," Holmes said. "It gets back to the fundamental weakness in all of these things, which is how do you secure a very porous boundary" in any operating environment.
Though it is unknown what Microsoft source code malicious actors viewed, it creates an opportunity to better understand how the company's services work. Though Microsoft was quick to say it is not reliant on code secrecy for security because it follows an innersource approach, risk persists.
The fastest way to find weaknesses in code is to look at the code, according to Holmes. Gaining access to source code is desired because it serves as a shortcut to trial and error planning to try and discern what problems there are in compiled code.
Even if Microsoft follows open source or innersource practices, it's still a vulnerability.
Solorigate exposed the number of weaknesses that exist across industry, Holmes said. There's a general problem with supply chain security and "everybody prioritizes features before security."