Microsoft says the ultimate goal of the SolarWinds supply chain commitment was to turn to victims’ cloud assets after deploying the Sunburst / Solorigate backdoor on their local networks.
No new tactics, techniques and procedures (TTPs) were shared in a blog post published on Monday to provide users of Microsoft 365 Defend threat hunting techniques to investigate Sunburst attacks.
However, Microsoft also shared another important piece of information: the ultimate goal of SolarWinds hacker attacks, something that was only suggested earlier.
Goals set on cloud resources
As the Microsoft 365 defense team explains, after infiltrating a target’s network with the help of the Sunburst backdoor, the attackers ‘goal is to gain access to the victims’ cloud assets.
“With this generalized initial base, attackers can choose the specific organizations in which they want to continue operating (while others remain an option at any point, as long as the backdoor is installed and undetected),” explains Microsoft.
“Based on our investigations, the next stages of the attack involve local activities aimed at external access to cloud resources [..]. “
Previous Microsoft articles on the SolarWinds attack on the supply chain and guidance from the National Security Agency (NSA) also suggested the fact that the ultimate goal of attackers was to generate Security Assertion Markup Language (SAML) tokens to forge authentication tokens. allowing access to cloud resources.
The threat actors behind the SolarWinds hack first had to compromise the SolarWinds Orion Platform build system and abuse it to deliver a backdoor injected as a legitimate DLL via the software update system.
Once the DLL is loaded after the application is started, the back door would reach its command and control server and allow the threat agents to infiltrate the network.
They then elevate privileges and move laterally through the victim’s network with the ultimate goal of obtaining administrator privileges or stealing the SAML (private) subscription key.
When this happens, they forge trusted SAML tokens that allow them to access cloud assets and filter emails from accounts of interest.
Attack chain and mitigation of unauthorized access to the cloud
Microsoft also detailed the step-by-step procedure used by attackers to gain access to their victims’ cloud assets:
- Use the compromised SolarWinds DLL to activate a backdoor that allows attackers to control and operate remotely on a device
- Using backdoor access to steal credentials, escalate privileges and move sideways for the ability to create valid SAML tokens using either method:
- Steal the SAML signing certificate (Path 1)
- Add or modify the existing federation trust (Path 2)
- Use attacker-created SAML tokens to access cloud resources and perform actions that lead to email exfiltration and persistence in the cloud
In its guidance highlighting the TTPs of SolarWinds hackers to pivot cloud resources, the NSA also shared mitigation measures against unauthorized access to the cloud, making it difficult for threat agents to gain access to federation and identity services on the local.
The NSA recommends enforcing multi-factor authentication, removing unnecessary applications with credentials, disabling legacy authentication, and using a FIPS-validated Hardware Security Module (HSM) to protect private keys.
Searching on-premises and cloud logs for signs of suspicious tokens, as well as detecting compromise indicators (IOCs) and attempts to abuse the authentication mechanism can also be used by the tenant and the cloud service provider to detect attacks.
Last week, the FBI also shared an industry private TLP: WHITE notification [PDF] with information on how system administrators and security professionals can determine whether APT agents have exploited SolarWinds vulnerabilities in their systems.
DHS-CISA and cybersecurity company Crowdstrike have also released free malicious activity detection tools to search for anomalies in using the SAML token in the audit logs and enumerate the privileges assigned to the Azure tenant.