FireEye, which is leading the SolarWinds investigations, has identified the tricks, techniques, and procedures employed by cybercriminals to carry out the attack. The cybersecurity vendor has also released a tool to help organizations detect and weed out malware lurking in their cloud environment.
FireEye, which sounded the alarm on the sophisticated SolarWinds breach, has some answers about the intrusion tactics, techniques, and procedures (TTPs) used in the attack. Mandiant, a subsidiary of FireEye, recently released a white paperOpens a new window detailing the TTPs used by the attackers who first intruded the malware into organizations’ on-premise systems and then moved laterally to compromise cloud-based Microsoft 365 environments. The company also released a free tool for companies to determine if any of these techniques were used inside their respective networks.
FireEye was the first to report a breach on December 9, which compromised its systems. The breach — tracked as UNC2452 resulted in the theft of the company’s line-up of internal hacking tools called Red Team, developed to test weaknesses and vulnerabilities in their client’s systems and cyber defenses.
The California-based company quickly pointed out that the attackers used novel techniques and applied a high-level of operational discipline to carry out the attack. Four days later, it was discovered that the attack on FireEye was a part of a Russia-backed cyber espionage campaign, in which attackers had infiltrated SolarWinds and planted malware into the Orion update. The company concluded that the attack was planned months in advance.
More than a month after the disclosure, the ramifications of the attack are still being felt across hundreds of private organizations and federal agencies targeted by the same nation-state hackers. The attack even compromised the source code of multiple Microsoft products.
Mandiant CTO Charles CarmakalOpens a new window said, “We continue to learn about new victims almost every day. I still think that we’re still in the early days of really understanding the scope of the threat-actor activity.â€
“This threat actor is so good, so sophisticated, so disciplined, so patient and so elusive that it’s just hard for organizations to really understand what the scope and impact of the intrusions are. But I can assure you there are a lot of victims beyond what has been made public to date,†he added.
Here are some of the highlights from FireEye’s white paper:
- Authenticate attackers in federated resource providers such as Microsoft 365 with forged tokens using the token-signing certificate stolen from the Active Directory Federation Services. This technique bypasses the need for user passwords or multi-factor authentication mechanism.
- Forge tokens for arbitrary users to enter through a backdoor in Azure by adding a federated identity provider controlled by the attacker. The attacker can do this by modifying or adding trusted domains in Azure Active Directory.
- Compromise on-premise user account credentials synchronized with Microsoft 365. These credentials should be assigned high privileged directory roles, such as Global Administrator or Application Administrator.
- Hijack Microsoft 365 applications by updating them with a rogue credential to use legitimate permissions assigned to the application. Permissions include reading emails, sending emails as an arbitrary user, access user calendars, and more.
Using these techniques, the attackers can get their hands on a potentially vast information pool like government data (may pertain to national security), code repositories, products, trade secrets, etc.
Any organization that suspects it has been compromised can leverage FireEye’s tool called Azure AD Investigator to check for indicators of any of these TTPs used by UNC2452 in their Microsoft 365 environments. Azure AD Investigator is similar to CISA’s SparrowOpens a new window and CrowdStrike Reporting Tool for Azure (CRT). CrowdStrike released CRT after it was targeted through a third-party Microsoft reseller. The tool enables security teams to detect Azure cloud environments’ inadequacies and eliminate the complexities associated with it.
Azure AD Investigator is available on GitHubOpens a new window .
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!