Microsoft has admitted that as a result of installing backdoored SolarWinds tools in some parts of its corporate network, portions of its source code was obtained and exfiltrated by parties unknown.
In a final public update on Thursday detailing its internal investigation into “Solarigate,” Redmond’s security team said it detected the “viewing of a file in a source repository” in late November, and attempts to do so again “into early January 2021, when the attempts stopped.”
“There was no case where all repositories related to any single product or service was accessed,” the update advises, adding: “There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search.”
But some source code was accessed and downloaded. “For a small number of repositories, there was additional access, including in some cases, downloading component source code,” the update states.
Microsoft has described those repositories as follows:
- A small subset of Azure components (subsets of service, security, identity)
- A small subset of Intune components
- A small subset of Exchange components
More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among others
Microsoft’s security team suggests there’s no reason to worry about these leaks, because the attackers went looking for secrets in code. Microsoft forbids that and runs automated checks to enforce the policy.
The Windows colossus has also gone through the repos with a fine-tooth comb and found they contained no live, production, credentials.
Which leaves us with someone out there having a small sample of Microsoft source code to assess, and an assurance that code won’t cause harm to Redmond’s systems.
Whether the attackers have enough code to harm the rest of us, by crafting attacks on Azure, Exchange and Intune, remains to be seen. The IT goliath earlier insisted that “following the completion of our internal investigation we’ve seen no evidence that Microsoft systems were used to attack others. There was also no evidence of access to our production services or customer data” by the masterminds of the SolarWinds super-hack. ®