SAN FRANCISCO (Reuters) – Microsoft Corps’ failure to resolve known issues with its cloud software has eased the massive SolarWinds cap that endangers at least nine federal government agencies, according to security experts and U.S. Senator Ron Wyden’s office .
A vulnerability first revealed by researchers in 2017 allows hackers to forge the identity of authorized employees to gain access to the client’s cloud services. The technique was one of many used in the SolarWinds hack.
Wyden, who as a member of the Senate Intelligence Committee has blamed technology companies for security and privacy issues, blasted Microsoft for failing to prevent counterfeit identities or to warn customers about them.
“The federal government is spending billions on Microsoft software,” Wyden told Reuters ahead of a SolarWinds hearing Friday in the House of Representatives.
“We need to be careful about spending more before we find out why the company did not warn the government about the hacking technique used by the Russians, which Microsoft has known about at least 2017,” he said.
Microsoft President Brad Smith will testify Friday before the House Committee examines the SolarWinds heels.
U.S. officials have blamed Russia for the massive intelligence operation that has infiltrated SolarWinds, making software to manage networks, as well as Microsoft and others, to steal data from several governments and about 100 companies. Russia denies responsibility.
Microsoft disputes Wyden’s conclusions and tells Reuters that the design of its identity services is not flawed.
In response to Wyden’s written questions on Feb. 10, a Microsoft lobbyist said the identity scam, known as the Golden SAML, “has never been used in an actual attack” and that the intelligence community does not use it as a risk posed, nor is it branded by civilian agencies. ”
But in a public opinion after the SolarWinds hack, on December 17, the National Security Agency called for closer monitoring of identity services, noting: ‘This SAML counterfeiting technique has been known and used by cyber actors since at least 2017. ‘
In response to additional questions from Wyden this week, Microsoft acknowledged that the programs were not set up to track the theft of identity tools for access to clouds.
Trey Herr, director of the Cyber Statecraft initiative at the Atlantic Council, said the failure shows that the security risks of clouds should be a higher priority.
The sophisticated misuse of identities by the hackers ‘exposes a worrying weakness in how cloud computing giants invest in security, and perhaps does not mitigate the risk of failures with high impact and low probability in systems at the root of their security model,’ Herr said. said.
In a testimony from Congress Tuesday, Smith, Microsoft, said that only about 15% of the victims in the Solar Winds campaign were injured via Golden SAML. Even in those cases, hackers must have already gained access to systems before using the method.
But Wyden’s staff said one of the victims was the U.S. Treasury, which lost emails from dozens of officials.
Reporting by Joseph Menn; edited by Jonathan Weber and Howard Goller