11 January 2021

SolarWinds hackers used password guessing to compromise networks


SolarWinds hackers used password guessing to compromise networks

Threat actors behind a widespread cyber-espionage campaign involving weaponized SolarWinds Orion software used common hacker techniques to breach targets in addition to more sophisticated methods, according to an update to the Cybersecurity and Infrastructure Security Agency’s alert.

“Frequently, CISA has observed the APT actor gaining Initial Access to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst). However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing, Password Spraying, and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials) instead of utilizing the compromised SolarWinds Orion products,” the agency said.

“CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider — and then to move laterally to Microsoft Cloud environments (Lateral Movement),” the alert continues.

In a report published at the end of December, Microsoft said that the primary goal of the attackers behind the SolarWinds supply-chain operation was to gain access to cloud-hosted infrastructure, which in many cases was the company’s own Azure and Microsoft 365 environments.

In its advisory CISA also provided examples of open-source detection tools to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity, including CISA's Sparrow, open-source utility Hawk, and CrowdStrike's Azure Reporting Tool (CRT).


Back to the list

Latest Posts

FBI warns of ongoing vishing attacks seeking to steal corporate credentials

FBI warns of ongoing vishing attacks seeking to steal corporate credentials

Cybercriminals use VoIP platforms to target company employees.
19 January 2021
IObit forum hacked in a DeroHE ransomware attack

IObit forum hacked in a DeroHE ransomware attack

It is unknown, how the hackers managed to compromise the forum, but it is possible that they gained access to an administrative account.
19 January 2021
OpenWrt Project discloses data breach

OpenWrt Project discloses data breach

The hackers gained access to an administrator account on the OpenWrt forum and stole a copy of the user list.
19 January 2021