The SolarWinds hack that revealed vulnerabilities in FireEye, Microsoft, and other CSPs is another evolution in the war against cyber crime. Cybersecurity teams and security tools will be responding to the breach ensuring that the rest of us don't fall victim to a carbon copy attack.
How are your security teams preparing against this specific threat?
What are your teams doing to respond to future zero-day attacks?
CSA hopes guidance on Cloud-Based, Intelligent Systems helps teams detect, analyze, and react in today's cloud-centric world. Read Paul's blog and download the publication:
SolarWinds - How Cybersecurity Teams Should | Cloud Security Alliance
Hi John, what vulnerabilities were revealed for Microsoft in the SolarWinds breach? I have read many articles on the topic and cannot find any evidence that Microsoft was a victim or a contributor. What led you to believe what you wrote about vulnerabilities in Microsoft and "other CSPs"?
There is still more investigating before we have a complete picture. The Orion platform is deployed in a lot of cloud environments, including Azure. It was reported from Microsoft that Office 365 accounts and Azure Active Directory were main targets and some customers claim to be compromised. The malicious code from Orion did create back doors that were detected by major CSPs and, even though it doesn't appear that all have necessarily been exploited yet, it has caused a rapid response plan to take place.
Microsoft showed an extremely quick and stringent response to the attack (shared in another post) on removing digital certificates used by the malware, updating Windows Defender detection, sinkholing the exploited domain, and immediate quarantining of malicious SolarWinds binaries on live customer servers that could disrupt overall server function.
Without intending to throw up too many specific flares on this attack, the call to action comes to how can we better ingest, understand, and respond to today's complex attacks on cloud especially as we become more dependent on the growing cloud supply chain.
I agree with @Paul Rich that your intro-text is a bit too short-sighted. There are no specific indicators that MSFT (or any other CSP for that matter) suffered 0day vulnerabilities. They gained access to those environments after already being in the on-prem network and using known TTP's.There is a good write-up on Bleeping Computer here: "The two tactics, techniques, and procedures (TTPs) discussed in NSA's advisory have been in use since at least 2017 and refer to forging Security Assertion Markup Language (SAML) tokens for single sign-on (SSO) authentication to other service providers."