News: SolarWinds, Microsoft, FireEye, CrowdStrike defend actions in major hack – U.S. Senate hearing.
WASHINGTON (Reuters) – Top executives at Texas-based software company SolarWinds Corp, Microsoft Corp and cybersecurity firms FireEye Inc and CrowdStrike Holdings Inc defended their behavior in violations of Russian hackers and tried to shift responsibility elsewhere to a US Senate committee Tuesday.
One of the worst hacks discovered so far affected all four of them. SolarWinds and Microsoft programs were used to attack others, and the hack hit about 100 US companies and nine federal agencies.
Lawmakers began the hearing by criticizing representatives from Amazon who they said had been asked to testify and whose servers were used to launch the cyberattack for refusing to attend the hearing.
“I think you have a duty to be part of this investigation, and I hope you will volunteer,” said Senator Susan Collins, a Republican. “If not, let’s look at the next steps.”
The executives called for more transparency and information exchange about violations with liability protection and a system that does not punish those who report it, similar to airline disaster investigations.
Microsoft has informed 60 customers about the violation of SolarWinds – hearing of the US Senate
Microsoft President Brad Smith and others told the Senate Select Committee on Intelligence that the true scope of the recent tampering is not yet known, as most victims are not legally required to disclose attacks unless they do confidential information about people.
Also testifying were Kevin Fireia, chief executive of FireEye, whose company first discovered the hackers, Sudhakar Ramakrishna, chief executive of SolarWinds, whose software was hijacked by the spies to break into a variety of other organizations, and George Kurtz, chief executive of CrowdStrike . whose company SolarWinds is helping to recover from the vulnerability.
“It is imperative for the nation that we encourage, and sometimes require, better information sharing about cyberattacks,” said Smith.
Smith said that many of the techniques used by the hackers have not come to light and that “the attacker used up to a dozen different means to get into victim networks in the past year.”
Microsoft announced last week that the hackers could read the company’s closely guarded source code to determine how its programs authenticate users. For many victims, the hackers manipulated these programs to gain access to new areas within their targets.
Smith pointed out that such a move was not due to programming errors by Microsoft, but rather to poor configurations and other controls on the part of the customer, including cases where “the keys to the safe and the car were left open”.
In CrowdStrike’s case, hackers used a third-party Microsoft software vendor that had access to CrowdStrike systems but tried not to get into the company’s email.
CrowdStrike’s Kurtz blamed Microsoft for the intricate architecture, which he called “antiquated”.
“The threat actor used systemic weaknesses in the Windows authentication architecture to move sideways within the network” and to reach the cloud environment while the multifactor authentication was bypassed, according to the prepared statement by Kurtz.
While Smith sought government help in providing remedial action for cloud users, Kurtz said Microsoft should reach out to its own house and troubleshoot issues with its widely used Active Directory and Azure.
“Should Microsoft address the limitations of the authentication architecture in relation to Active Directory and Azure Active Directory or switch to a different methodology, a significant threat vector would be completely eliminated from one of the world’s most widely used authentication platforms,” said Kurtz.
Alex Stamos, a former Facebook and Yahoo security chief, who now advises SolarWinds, agreed with Microsoft that customers who split their resources between their own premises and the Microsoft cloud are especially at risk, as experienced hackers can switch back and forth and completely to the cloud should switch.
In an interview, he added, “It is also too difficult to run Azure ID (cloud software) securely, and the complexity of the product gives attackers many opportunities to escalate permissions or hide access.”
Reporting by Joseph Menn in San Francisco and Raphael Satter in Washington; Adaptation by Matthew Lewis and Grant McCool
Original Source © Reuters