Microsoft Dismissed Warning About Flaw Later Exploited During SolarWinds Attacks: Report

According to a ProPublica report, the tech giant was dismissive of an employee’s warnings about a vulnerability later exploited in the widely felt SolarWinds Orion attacks.

Microsoft was dismissive of a whistleblower’s warnings about a vulnerability later exploited as part of the widely felt SolarWinds Orion attacks, according to a ProPublica report.

The former employee, Andrew Harris, reportedly warned Microsoft multiple times while working at the company between 2016 and 2020 about a flaw later dubbed “Golden SAML” by cybersecurity vendor CyberArk.

The vulnerability, which enabled the exploitation of Microsoft’s Active Directory Federation Services, could allow a threat actor to more easily maintain access to a compromised environment while remaining undetected. Microsoft now recommends that Active Directory Federation Services customers migrate to its newer Microsoft Entra ID system.

Harris, who had previously worked for the Defense Department, was hired by Microsoft to bring his technical expertise with preventing products from being compromised by hackers, ProPublica reported in its investigative article published Thursday. He departed Microsoft in August 2020 to work for rival cybersecurity vendor CrowdStrike, several months before the SolarWinds breach was discovered.

The SolarWinds software supply chain attack saw threat actors, which have been associated with Russia’s SVR foreign intelligence unit, infect the Orion network monitoring software with malicious code.

After the implant was introduced to Orion, researchers say the tainted software was then downloaded by thousands of customers, including U.S. government agencies and major corporations, leading to numerous additional data breaches.

If Microsoft had acted sooner to respond to Harris’ warnings, it could have presumably helped to curtail some of the attacks carried out against customers of SolarWinds through exploiting the Golden SAML flaw, according to the ProPublica report. Victims attacked using the vulnerability included the National Nuclear Security Administration and the National Institutes of Health, the report said.

Microsoft “did not dispute ProPublica’s findings,” the report said.

In a statement from Microsoft provided to CRN Thursday, the company said that SAML (Security Assertion Markup Language) is “an industry standard for authentication” and that “there are not inherent vulnerabilities in that standard and supporting SAML, itself, is not a vulnerability for identity services.”

The company added that “our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus.”

The ProPublica report was published as Microsoft President Brad Smith testified before the U.S. House Homeland Security Committee, where he reportedly said Microsoft “accepts responsibility” for security lapses recently identified related to a separate cyberattack. Smith was responding to the Cyber Safety Review Board’s April report on the 2023 Microsoft cloud email breach, which offered a scathing criticism of the company’s security culture and practices.