Cybersecurity firm FireEye has published a white paper providing a detailed overview of techniques used by a hacker group behind a recent SolarWinds breach inside compromised networks.
The SolarWinds supply-chain attack came to light in December last year when FireEye revealed a breach of its own systems and the theft of its Red Team tools. Soon after, Microsoft also confirmed it was targeted by the SolarWinds hackers, who are thought to be working on behalf of the Russian government. The hackers had infected SolarWinds’s Orion software used by government agencies and private companies with the Sunburst malware, which allowed the attackers to further compromise computer networks.
The threat actor behind the SolarWinds breach is tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity).
According to SolarWinds, as many as 18,000 of its customers may have received infected updates, though it is believed that the number of directly affected companies is much smaller.
In some cases, the hackers deployed a second strain of malware known as Teardrop and then used several techniques to escalate access inside the local network and to the company's cloud resources, with a special focus on breaching Microsoft 365 infrastructure.
The FireEye’s 39-page report in great depth outlines the four primary techniques used by the hackers:
Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.
“Detection of forged SAML tokens actively being used against an organization has proven to be difficult. One possibility is to compare entries in the Azure AD Sign-Ins log against the security event logs of the on-premises AD FS servers to ensure that all authentications originated from AD FS,” the report notes.
The report also includes practical remediation and hardening strategies that companies can implement. In addition, FireEye has released a free auditing tool named Azure ID Investigator to help companies determine if any of these techniques are being used in their networks.