Security News > 2021 > April > SolarWinds Hacking Campaign Puts Microsoft in the Hot Seat
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called "Systematic weaknesses" in key elements of Microsoft code to mine at least nine U.S. government agencies - the departments of Justice and Treasury, among them - and more than 100 private companies and think tanks, including software and telecommunications providers.
The campaign's "Hallmark" was the intruders' ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing.
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims' lack of multi-factor authentication.
Sen. Ron Wyden, D-Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of "Event logging" that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.
Remember, many security professionals note, Microsoft was itself compromised by the SolarWinds intruders, who got access to some of its source code - its crown jewels.
"The crux of it is that Microsoft is selling you the disease and the cure," said Marc Maiffret, a cybersecurity veteran who built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.