Microsoft said it found no evidence that attackers gained access to the source code for some of its products, services or customer data in the attack on SolarWinds’ supply chain, which it calls “Solorigate”. The company, which classifies the attack as a “moment of reckoning,” said on Thursday, 18, that it had completed the internal investigation to find out what its own network’s commitment was.
The software giant emphasized that its investigators concluded that neither the company’s services nor its software were used to attack third parties.
The investigation concludes less than two months after Microsoft revealed that attackers would have viewed part of the source code for its products and services. In a statement issued on February 18, the Microsoft Security Response Center (MSRC) revealed that attackers viewed specific source code repositories in search of passwords and development “secrets” used as keys to protect applications after they were compiled.
The research released now found that only “a small number of repositories [de código]”Was accessed by attackers, including a small subset of Azure, Intune and Exchange components”.
“The search terms used by the attackers indicate that the goal was to find secrets,” says the MSRC in a corporate blog post, adding that the company’s policy prohibits any code signing passwords or secrets in the code. Microsoft automates the verification of this policy, but double-checked the code when responding to incidents. “We confirmed that the repositories were in compliance and did not contain any live production credentials,” wrote the employees.
“Today, as we close our internal investigation of the incident and continue to see an urgent opportunity for defenders everywhere to unite and protect the world in a more combined way,” said Vasu Jakkal, corporate vice president for security, compliance and identity from Microsoft.
The speed with which Microsoft ended its investigation, however, caused some security professionals to question the company’s rigor. “Professionals who respond to incidents are in the difficult position of having to declare a negative [que os invasores não obtiveram acesso significativo] “Said Joe Slowik, senior threat researcher at the network infrastructure company DomainTools, in a statement to InformationWeek.
“Microsoft saying that [os atacantes] they didn’t get access, period, it seems very fast, ”he said, although he acknowledges that the company is in a better position to make such statements, compared to most of the industry. Slowik questioned, however, the wisdom in declaring the investigation closed.