Image: Microsoft
Microsoft’s security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers.

ZDNet Recommends

The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally.
In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft’s internal network, where they accessed the source code of several internal projects.
“Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts,” the company said today, in its final report into the SolarWinds-related breach.
Microsoft said that after cutting off the intruder’s access, the hackers continued to try to access Microsoft accounts throughout December and even up until early January 2021, weeks after the SolarWinds breach was disclosed, and even after Microsoft made it clear they were investigating the incident.
“There was no case where all repositories related to any single product or service was accessed,” the company’s security team said today. “There was no access to the vast majority of source code.”
Instead, the OS maker said intruders viewed “only a few individual files […] as a result of a repository search.”

Microsoft said that based on the search queries attacker performed inside their code repositories, the intruders appeared to have been focused on locating secrets (aka access token) that they could be used to expand their access to other Microsoft systems.
The Redmond company said these searches failed because of internal coding practices that prohibited developers from storing secrets inside source code.
Some source code was also downloaded
But beyond viewing files, the hackers also managed to download some code. However, Microsoft said the data was not extensive and that the intruders only downloaded the source code of a few components related to some of its cloud-based products.
Per Microsoft, these repositories contained code for:
a small subset of Azure components (subsets of service, security, identity)
a small subset of Intune components
a small subset of Exchange components
All in all, the incident doesn’t appear to have damaged Microsoft’s products or have led to hackers gaining extensive access to user data.

SolarWinds Updates More

CISA has released a notice urging administrators to apply updates to a variety of industrial control systems after discovering vulnerabilities in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.In the advisory, CISA said the issues were found in equipment from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing.

The equipment containing the vulnerabilities includes CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS. “Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure,” CISA explained.They provided links to each company’s patches or fixes for the issue, but they noted that GurumNetworks did not respond to their messages. CISA said organizations using GurumNetworks’ tools should contact them directly. Dr. Dennis Hackney, head of industrial cybersecurity services development at ABS Group, told ZDNet that many industrial control system owners don’t realize that their systems are full of open-source software, much like OpenDDS. “The reasons for this are multifaceted but often stem from the proprietary and tailored nature of each control system. OEMs and engineers develop solutions that are as functional as possible without adding unnecessary costs. Be warned, by their very nature, ICS are open,” Hackney explained. 

“They use connectivity called OPC which stands for Object Linking and Embedding (OLE) for Process Control, otherwise known as open process control specifications. Open refers to non-authenticated communication between computers and equipment. There are increasingly new authenticated models but that does not cover the majority of what are in operation today. The concern being, when there is a vulnerability in components like OpenDDS, there are limited options to control access and ensure quality of service due to the nature of ICS designs.” OpenDDS vulnerabilities are a concern, he added, because these applications are based on a subscription model. The vulnerabilities are also concerning because they can be exploited remotely and have a low attack complexity, he said. Like CISA’s notice, Hackney suggested that affected organizations install the latest updates, isolate systems from business IT networks, utilize firewalls, and secure remote access through VPNs. Other experts, like Netenrich principal threat hunter John Bambenek, explained that this advisory stood out because it impacts a wide variety of vendors and open-source solutions that address the data distribution layer of real-time systems. Typically, a vulnerability only impacts specific products. The fact that all involved have released updates in a coordinated fashion shows that CISA is taking its role of protecting critical infrastructure and coordinating response between many organizations seriously, Bambenek said. “While CISA has said there are no known public exploits for these vulnerabilities, this announcement will certainly drive those attackers interested in attacking these systems to develop them quickly. Affected organizations should patch quickly while there is still time,” Bambenek added.  More

Fortinet delivered strong second quarter growth thanks to an expansion in business from EMEA and the Americas.  

Fortinet delivered second quarter revenue of $801.1 million, up 29.7% from a year ago. For the second quarter, Fortinet’s non-GAAP earnings of $0.95 a share were above expectations. Wall Street was expecting Fortinet to report second quarter earnings of $0.87 a share on revenue of $744.14 million.For 2021, Fortinet is projecting revenue of $3.21 billion to $3.25 billion with non-GAAP earnings of $3.75 to $3.90 a share.For the third quarter, Fortinet is projecting revenue between $800 million and $815 million with non-GAAP earnings between $0.90 and $0.95 a share.  In Q4, the company updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.Fortinet announced in March that it was investing $75 million in router maker Linksys as part of a “strategic alliance” aimed at securing work from home networks.

Ahead of the earnings call, the company unveiled a new FortiGate 3500F Next-Generation Firewall that is designed to protect organizations with hybrid data centers against ransomware and other attacks.Fortinet CMO John Maddison added that Fortinet is also “redefining services by expanding its security services options — which currently include FortiCare and FortiGuard — with FortiTrust, enabling a unified offering with one licensing model for flexible consumption options across networks, endpoints, and clouds.”

Tech Earnings More

Two government departments copped a beating from the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday over extensive gaps in their oversight of Australia’s mandatory data retention laws. The Department of Home Affairs (DHA) in particular came under sustained attack from Labor’s Anthony Byrne, a former chair of the committee, for what he […] More

Download a lifetime license to Microsoft Office at a deep discount with this deal. Stack Social If you need access to Microsoft Office but don’t want to pay the yearly fee to access Office 365, you’re in luck: Stack Social is offering a lifetime license for Microsoft Office Professional 2021 for Windows or Mac, starting […] More