“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” Kleczynski shared. Malwarebytes CEO Marcin Kleczynski said that the company has been breached by the same nation-state attackers that hit and compromised SolarWinds, but that they didn’t gain access through a compromised SolarWinds Orion installation.ĬISA has previously published a security alert in which it said that “the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.” They’ve also released Azure AD Investigator, a PowerShell tool for detecting artifacts that may be indicators of these techniques having been leveraged against organizations.ĬISA has also previously detailed some of these techniques, offered advice on detection methods and pointed to various tools available to detect recent domain authentication or federation modifications, detect new and modified credentials applied to applications and service principals, gather data from O365 and Azure for security investigation, help organizations analyze permissions in their Azure AD tenant and service configuration, etc.
Compromising the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles (e.g., Global Administrator or Application Administrator).Modifying or adding trusted domains in Azure AD to add a new federated Identity Provider (controlled by the attackers).Stealing the Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users (aka a Golden SAML attack).Techniques used by the attackersįireEye is the firm that first uncovered the activities of the SolarWinds hackers and has visibility in many intrusions perpetrated by them, allowing them to detail several methodologies used by attackers (and other threat actors) to move laterally from targets’ on-premises networks to the Microsoft 365 cloud. Symantec has released indicators of compromise (IOCs) and YARA rules that can come in handy to defenders. “Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” the researchers shared. Unlike Teardrop, which was delivered by the initial Sunburst (Solorigate) backdoor, Raindrop was used for spreading across the victim’s network and there is no evidence to date of it being delivered directly by Sunburst. On Monday, Symantec shared the result of their analysis of Raindrop, a loader that, similarly to the Teardrop backdoor, delivers a customized Cobalt Strike Beacon. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he said. Then, on Tuesday, Malwarebytes CEO Marcin Kleczynski disclosed that the same attackers targeted and breached the company, but not through the compromised SolarWinds Orion platform (which they don’t use).
A fourth malware strain wielded by the SolarWinds attackers has been detailed by Symantec researchers, followed by the disclosure of the attackers’ ingenous lateral movement techniques and the release of an auditing script by FireEye researchers that organizations can use to check their Microsoft 365 tenants for signs of intrusion.
0 kommentar(er)
