#Microsoft has long downplayed its role in the 2020 "SolarWinds" attack -- one of the largest #cyberattacks in US history -- but a new ProPublica investigation reveals that the #tech giant ignored warnings that could have stemmed the damage. (THREAD)
Former employee says software giant dismissed his warnings about a critical flaw because it feared losing government business. Russian hackers later used the weakness to breach the National Nuclear Security Administration, among others.
2/ In 2016, while researching an attack on a major tech company, Microsoft engineer Andrew Harris said he discovered a flaw that left millions of users -- including federal employees -- exposed to hackers.
The weakness Harris discovered was in MS' Active Directory Federation Services, which allowed users to sign on a single time for nearly everything they needed. The problem was with how the app used a computer language known as SAML to authenticate users as they logged in.
3/ Harris said he brought these concerns to the Microsoft Security Response Center, which fields reports of security vulnerabilities and determines which need to be addressed.
The MSRC took no action, arguing that because hackers would already need access to an organization’s on-premises servers before they could take advantage of the flaw, it didn’t cross a so-called “security boundary.”
4/ So Harris elevated the issue to Microsoft product leaders who, he said, "violently agreed with me that this is a huge issue.”
The problem was, “Everyone violently disagreed with me that we should move quickly to fix it.”
The temporary solution would be for customers to turn off the seamless single sign-on function, but MS leaders argued that this could alienate large customers and give an edge to Microsoft's competition.
5/ Harris wasn't the only one trying to alert Microsoft to the vulnerability. In Nov. 2017, cybersecurity firm CyberArk wrote a blog post detailing the SAML flaw.
Microsoft would later claim this blog post was the first time it had learned of the issue, but researchers at CyberArk say they had reached out to MS at least twice before publication.
CyberArk Labs discovered a new attack vector, dubbed “golden SAML,” which allows an attacker to authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism.
