Threat actors behind a widespread cyber-espionage campaign involving weaponized SolarWinds Orion software used common hacker techniques to breach targets in addition to more sophisticated methods, according to an update to the Cybersecurity and Infrastructure Security Agency’s alert.
“Frequently, CISA has observed the APT actor gaining Initial Access to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst). However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing, Password Spraying, and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials) instead of utilizing the compromised SolarWinds Orion products,” the agency said.
“CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider — and then to move laterally to Microsoft Cloud environments (Lateral Movement),” the alert continues.
In a report published at the end of December, Microsoft said that the primary goal of the attackers behind the SolarWinds supply-chain operation was to gain access to cloud-hosted infrastructure, which in many cases was the company’s own Azure and Microsoft 365 environments.
In its advisory CISA also provided examples of open-source detection tools to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity, including CISA's Sparrow, open-source utility Hawk, and CrowdStrike's Azure Reporting Tool (CRT).