A die scariest aspects of The recent wave of piracy in Russia– which has violated numerous US government agencies among other targets – has been the successful use of a “supply chain attack” to win over tens of thousands of potential targets from a single compromise of the IT services company SolarWinds. But that was not the only striking feature of the assault. After this initial gain, attackers delved deeper into the networks of their victims with simple and elegant strategies. Researchers are bracing for an increase in popularity among copiers who have used simple and elegant strategies to dig deep into their chosen targets once they had initial access through SolarWinds. Now, researchers are bracing for an increase in these techniques from other attackers.
SolarWinds hackers have used their access in numerous instances to infiltrate their victims’ Microsoft 365 email services and Microsoft Azure Cloud infrastructure, both potentially valuable and potentially sensitive data treasures. The challenge of preventing these types of intrusions in Microsoft 365 and Azure is that they don’t depend on specific vulnerabilities that can simply be fixed. Instead, the hackers use an initial attack that positions them to manipulate Microsoft 365 and Azure in a way that looks legitimate. In this case, to great effect.
“Now there are other actors who will obviously adopt these techniques, because they are going after what works,” says Matthew McWhirt, director at Mandiant Fireeye, first identified the Russian campaign in early December.
In the recent barrage, hackers compromised a SolarWinds product, Orion, and distributed corrupted updates that allowed attackers to gain a foothold on the network of every SolarWinds customer that downloaded the malware patch. From there, attackers could use their new privileges on victim systems to take control of the certificates and keys used to generate system authentication tokens, known as SAML tokens, for Microsoft 365 and Azure. Organizations manage this authentication infrastructure locally, rather than in the cloud, through a Microsoft component called Active Directory Federation Services.
Once an attacker has network privileges to manipulate this authentication scheme, he can generate legitimate tokens to access any of the organization’s Microsoft 365 and Azure accounts, with no password or multi-factor authentication required. From there, attackers can also create new accounts and grant themselves the elevated privileges necessary to roam freely without raising an alert.
“We believe it is essential that governments and the private sector be increasingly transparent about the activities of nation states so that we can all continue the global dialogue on protecting the Internet,” Microsoft said in a statement. December press release blog post who linked these techniques to SolarWinds hackers. “We also hope that the publication of this information will help educate organizations and individuals on the steps they can take to protect themselves.”
The National Security Agency also detailed the techniques in a December report.
“When running products that perform authentication, it is essential that the server and all the services that depend on it are properly configured for secure operation and integration,” NSA said. wrote. “Otherwise, SAML tokens could be forged, giving access to many resources.”
Microsoft has since extended its monitoring tools in Azure Sentinel. And Mandiant also publishes a tool This makes it easier for groups to assess whether someone has used their generation of authentication tokens for Azure and Microsoft 365, such as highlighting information about new certificates and accounts.
Now that the techniques have been exposed very publicly, more organizations may be on the lookout for such malicious activity. But manipulating SAML tokens is a risk for virtually any cloud user, not just those on Azure, as some researchers have warned for years. In 2017, Shaked Reiner, researcher at the CyberArk defense cabinet, published discoveries about the technique, called GoldenSAML. He even built a proof of concept tool that security professionals could use to test whether their customers were likely to manipulate SAML tokens.