Microsoft: SolarWinds hackers downloaded some Azure, Exchange source code

Microsoft announced today that the SolarWinds hackers gained access to source code for a limited number of Azure, Intune, and Exchange components.

In December, it was disclosed that the SolarWinds' network management company suffered a sophisticated cyberattack that allowed hackers to create a supply chain attack targeting the company's customers.

After internal investigations of their use of the SolarWinds platform, Microsoft announced in December that they were affected by the attack and that hackers could gain access to a limited amount of source code repositories.

Today, Microsoft has released the final update into their investigation and determined that the hackers could only access a few files for most repositories.

However, for some repositories, including ones for Azure, Intune, and Exchange, the attackers could download component source code.

For a small number of repositories, there was additional access, including in some cases, downloading component source code. These repositories contained code for:

• a small subset of Azure components (subsets of service, security, identity)
• a small subset of Intune components
• a small subset of Exchange components

Based on the search keywords used when the attackers searched for secrets, such as API keys, credentials, and security tokens, that may have been embedded in the source code.

These credentials would have potentially allowed the threat actors to gain further access to Microsoft's systems if found.

Microsoft states that they have a strict development policy that prohibits storing secrets in source code and use automated tools to verify this compliance.

Microsoft's investigation determined that the accessed code did not contain any credentials.

"We have confirmed that the repositories complied and did not contain any live, production credentials," Microsoft stated in a final report today.

Microsoft states that their investigation has shown that it is essential to assume a 'Zero Trust' philosophy, meaning that organizations should assume that all of their systems are unsafe and create security models based around this premise.

"A Zero Trust, “assume breach” philosophy is a critical part of defense. Zero Trust is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data." - Microsoft

Microsoft has previously released an article on Zero Trust principles with recommendations on operating under this philosophy.