The variety of techniques used by SolarWinds hackers was sophisticated, but in many ways also common and preventable, according to Microsoft.
To avoid future attacks of similar levels of sophistication, Microsoft recommends that organizations adopt a “zero-trust mentality” that rejects the assumption that everything within an IT network is secure. That is, organizations must take the breach and explicitly verify the security of user accounts, endpoint devices, the network and other resources.
Besides that: Best VPNs • Best security keys • Best antivirus
As Microsoft’s director of identity security, Alex Weinert, notes in a blog post, the top three attack vectors were compromised user accounts, compromised supplier accounts, and compromised supplier software.
Thousands of companies were affected by the SolarWinds breach, released in mid-December. The hackers, known as UNC2452 / Dark Halo, targeted the construction environment for SolarWinds’ Orion software, tampering with the process when a program is compiled from source code into a binary executable deployed by customers.
U.S. security vendor Malwarebytes said yesterday that it was affected by the same hackers, but not through contaminated Orion updates. Instead, hackers breached Malwarebytes by exploiting applications with privileged access to the Office 365 and Azure infrastructure, giving attackers “access to a limited subset” of Malwarebytes’ internal email.
According to Weinert, the attackers exploited gaps in “explicit verification” in each of the main attack vectors.
“Where user accounts have been compromised, techniques known as password spray, phishing or malware have been used to compromise the user’s credentials and give the attacker critical access to the customer’s network,” writes Weinert.
He argues that cloud-based identity systems, such as Azure Active Directory (Azure AD), are more secure than on-premises identity systems, because the latter do not have cloud-based protections, such as Azure AD password protection. to eliminate weak passwords, recent advances in password spread detection, and enhanced AI for preventing account compromises.
In cases where the actor was successful, Weinert notes that the accounts of highly privileged vendors lacked additional protections, such as multi-factor authentication (MFA), IP range restrictions, device compliance or access analysis. Microsoft found that 99.9% of the compromised accounts it tracks every month do not use MFA.
MFA is an important control, as compromised accounts with high privilege can be used to forge SAML tokens to access cloud resources. As the NSA noted in its notice after the SolarWinds hack was released: “if malicious cyber attackers are unable to obtain a non-local signature key, they will attempt to obtain sufficient administrative privileges from the cloud tenant to add a certificate trust malicious to forge SAML tokens. “
This attack technique could also be frustrated if there were stricter permissions on user accounts and devices.
“Even in the worst case of forging SAML tokens, excessive user permissions and missing devices and network policy restrictions allowed the attacks to continue,” notes Weinert.
“Zero Trust’s first principle is to verify explicitly – be sure to extend this verification to all access requests, even those from suppliers and especially those from local environments.”
The Microsoft veteran finally offers a reminder of why less privileged access is critical to minimizing an attacker’s chances of moving sideways once within a network. This should help to compartmentalize the attacks, restricting access to an environment of a user, device or network that has been compromised.
With Solorigate – the name Microsoft uses for the SolarWinds malware – attackers “took advantage of broad role assignments, permissions that exceeded role requirements and, in some cases, abandoned accounts and applications that shouldn’t have any permission,” observes Weinert.
Weinert admits that the SolarWinds hack was a “truly significant and advanced attack”, but the techniques they used can be significantly reduced risk or mitigated with these best practices.