The complex cyberattack campaign against major US government agencies and corporations including Microsoft and FireEye has driven home the reality of how attackers are setting their sights on targets' cloud-based services such as Microsoft 365 and Azure Active Directory to access user credentials — and ultimately the organizations' most valuable and timely information.
Today Malwarebytes revealed that it, too, was compromised by the same attackers who infected SolarWinds' Orion network management software to reach many of the targets in the campaign — but via a different attack vector that gained privileged access to 365 and Azure. "After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments," said Marcin Kleczynski, CEO and co-founder of Malwarebytes, said today in a blog post disclosing the breach, noting that Malwarebytes is not a SolarWinds customer.
Security researchers and incident responders investigating the massive attacks — believed to be the handiwork of Russia's nation-state hacking machine — meanwhile continue to find new weapons used in the campaign, even as new victims come forward.
Symantec today detailed a fourth malware tool, a dropper dubbed Raindrop, used to move laterally in the victim's network and deliver a malicious Cobalt Strike payload onto other computers. Unlike the previously discovered Teardrop dropper used in the attacks to run Cobalt Strike, Raindrop doesn't appear to have been spread directly by the Sunburst Trojan planted in SolarWinds' Orion software updates: "Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst," Symantec's Threat Hunter Team wrote in blog post today.
Incident response (IR) experts at FireEye Mandiant — where the attacks were first detected and traced to a compromise of SolarWinds' software — today published a white paper that explains in detail how the SolarWinds attackers as well as other threat groups are hacking organizations from their on-premises networks to Microsoft 365 and other cloud services. Mandiant's report explains how the attackers were able to slice through victim organizations' Microsoft 365 cloud environments after hopping onto their SolarWinds software updates, mainly attacking Active Directory and stealing and forging user credentials.
As details of the attack chain and malware gradually emerge, experts say the epic attack signals a new normal for cyber espionage. Costin Raiu, head of Kaspersky's global research and analysis team, says the SolarWinds attack campaign illustrates how nation-state attackers are going after real-time information — and how challenging it is for targeted organizations to detect it. "I think there's a new dimension of [nation-state] hacking with all of the Office 365 and Azure AD Cloud out there," he says.
"Everything is happening in the cloud and no one sees anything. At best, you [the victim] get a notification from Microsoft that something bad is going on," Raiu notes.
Cloud visibility indeed has been one of the biggest problems and security weaknesses for organizations the past year. COVID-19 last year forced many businesses to accelerate their cloud migration plans when they relocated employees to makeshift home offices, creating hybrid physical and cloud-based IT infrastructures practically overnight. Microsoft 365 replaced enterprise email servers.
Most reputable cloud-based services such as 365 come with built-in security controls, but it's still up to the customer to manage and configure those settings — and that's often the problem. It's a recipe for compromise by determined nation-state actors like the as-yet unidentified hacking team behind those attacks. FireEye refers to the attackers as UNC2452, while US government intelligence has publicly cited Russia as the perpetrator in the attacks. Most security firms thus far have declined to ID Russia or a specific nation-state group.
Raiu notes that while a foundation of cyber espionage traditionally has been about stealing sensitive documents, now there's a doubling down on real-time information-sharing and spying. "Nowadays it appears people understand the most sensitive information is being discussed with others. ... If you want real-time, actionable intel you go after email and instant" messaging platforms, he says.
As with the case of the SolarWinds attacks, that means getting to email accounts and mobile devices at the targeted organization. "Some of this can be quite stealthy," he says, and it's often difficult to detect malware dropped on a mobile phone, for example. "It's a complex ecosystem."
Matthew McWhirt, director at FireEye's Mandiant and co-author of its newly released report on the SolarWinds attackers, says his IR teams see an abundance of 365 user accounts with too many and unnecessary privileges that leave the organization vulnerable to attackers, especially when they migrate their on-site Active Directory user accounts to Azure AD and 365. A common misstep: syncing an on-premises privileged account to one that manages Azure AD and 365. That gives an attacker a lateral path from the internal network to organization's cloud-based 365 environment.
Users should separate the account that manages 365 from the domain admin account for the internal network, he says.
Mandiant has spotted attackers finding and stealing credentials from on-premises, privileged AD accounts and then connecting to 365. Then the attacker can connect to and gain a foothold in the victim's 365 account "without the continued need for on-premises access," the company wrote in its paper.
The security vendor has also released a free script-based tool on GitHub — Azure AD Investigator — which checks Microsoft 365 tenants for UNC2452 attack techniques.
"A lot of what we see is technology overload, honestly," notes Doug Bienstock, manager of professional services at Mandiant, co-author of the new white paper on UNC2452. "When organizations are using [Microsoft] Exchange in their own data center, it's [Exchange] well-defined. ... But when they switch to 365, all of a sudden they have 50 different apps and all different ways of accessing it, with modern standards like OAuth and SAML. Some organizations are not well equipped to deal with it."
Microsoft, which last month discovered its own SolarWinds software had been compromised in the attacks, has published specific guidelines for defending 365 from SolarWinds and other attacks via the internal network. "Alongside our industry partners and the security community, Microsoft continues to investigate the extent of the recent nation-state attack on SolarWinds," a Microsoft spokesperson said in a statement to Dark Reading. "Our goal is to provide the latest threat intelligence, Indicators of Compromise (IOC)s, and guidance across our products and solutions to help the community respond, harden infrastructure, and begin to recover from this unprecedented attack. As new information becomes available, we will make updates to the article at https://aka.ms/solorigate."
The underlying issue with organizations insufficiently locking down 365 is an age-old one: "What we are seeing is more a tension between security and usability" with 365 attacks, Mandiant's Bienstock says. Attackers are going after apps integrated with 365, so protecting them requires "hardening" them or just turning off access to apps or protocols you don't need, he and his co-authors advise in their paper.
UNC2452 and other threat groups have moved laterally from the victim's network to 365 cloud-based accounts via a mix of four basic approaches, according to Mandiant: pilfering the Active Directory Federation Services token-signing certificate and using that to create fake tokens and to pose as a legitimate user to 365; adding an Azure AD backdoor to forge tokens; hijacking a 365 app via rogue credentials; and abusing and compromising privileged user credentials from the enterprise network that are synced to the victim's 365 environment.
"The intrusion is centered around abuse of trust," notes Joe Slowik, senior security researcher at DomainTools, on the attack campaign. "That's what makes this a relatively difficult thing to deal with."
The attacks in the campaign that began with the SolarWinds Orion infection basically scored the attackers a network map of their target's environment. Chris Morales, head of security analytics at Vectra, a network threat and detection response provider, says Orion access gave the attackers the a more efficient way to pinpoint how to get to what they wanted from the victims. "In an attack life cycle, speed and time is the most important thing in security. How long it takes them to get in and get to what they care about," he says. "Network recon is a huge opportunity for detection," he says, so already having that map made the attack easier and less likely to get detected.
"Sunburst [the SolarWinds attack] is a blueprint for future attacks. It shortens the gap of how long an attack will take," Morales adds.
Microsoft 365 is one of the largest attack surfaces in many organizations today, he says. When attackers like these get into 365, it's powerful: "Now they are persistent and stay in Office. ... You now see attacks that never leave Office. They've taken over identities and other accounts."
The attackers conducted a lot of "surgical" hands-on-keyboard hacking, which appears to indicate a very targeted campaign, Kaspersky's Raiu says. Once they were ready to home in on a victim, they deployed Cobalt Strike red-team software, which then requires human control, he notes. "There's a limited capacity for all of this manual work."