According to Microsoft, the variety of techniques used by the SolarWinds hackers was sophisticated, but in many ways also normal and preventable.
To prevent future attacks of similar sophistication, Microsoft recommends that organizations adopt a ‘zero trust mentality’, rejecting the assumption that everything within an IT network is secure. That is, organizations must transgress and explicitly verify the security of user accounts, endpoint devices, the network, and other resources.
Also: Best VPNs • Best Security Keys • Best antivirus
As Microsoft’s director of identity security, Alex Weinert, noted in a blog post, the three main attack vectors were compromised user accounts, vendor account providers, and vendor software.
Thousands of companies were affected by the breach of SolarWinds, which was announced in mid-December. The hackers, known as UNC2452 / Dark Halo, targeted the build environment for SolarWinds’ Orion software and tampered with the process of compiling a program from source code to a binary executable program used by customers.
The American security vendor, Malwarebytes, announced yesterday that it is affected by the same hackers, but not by the polluted Orion updates. The hackers instead violated Malwarebytes by exploiting privileged applications in Office 365 and Azure infrastructure, giving attackers’ access to a limited subset ‘of Malwarebytes’ internal email.
According to Weinert, the attackers exploited gaps in “explicit verification” in each of the main attack vectors.
“Where user accounts have been compromised, well-known techniques such as password spraying, phishing or malware have been used to compromise user credentials and have given the attacker critical access to the client network,” Weinert writes.
He argues that cloud-based identity systems such as Azure Active Directory (Azure AD) are more secure than on-premises identity systems because the latter do not have cloud protections such as Azure AD password protection to erase bad passwords, recent advances in password spray detection , and improved AI to prevent account compromises.
In cases where the actor has succeeded, Weinert notes that highly privileged vendor accounts lack additional protection, such as multifactor authentication (MFA), restrictions on IP ranges, device compliance, or access rating. Microsoft has found that 99.9% of the affected accounts it monitors each month do not use MFA.
MFA is a major holding company as weakened accounts with high privileges can be used to forge SAML tokens to access cloud resources. As the NSA noted in its warning after the SolarWinds cap was announced: ‘if the malicious cybercriminals cannot obtain a non-premises signing key, they will try to obtain sufficient administrative privileges in the cloud tenant to obtain a malicious certificate add trust relationship. for counterfeiting SAML tokens. “
This attack technique can also be thwarted if there are stricter permissions on user accounts and devices.
“Even in the worst case of the SAML token forgery, excessive user permissions and the lack of permissions and network policy restrictions allowed the attacks to progress,” Weinert notes.
“The first principle of Zero Trust is to explicitly verify – make sure you extend this verification to all access requests, even those from vendors and especially those from local environments.”
The Microsoft veteran finally offers a reminder of why the least privileged access is crucial to restrict attackers from moving laterally within a network. It can help compartmentalize attacks by restricting access to an endangered user, device, or network environment.
With Solorigate – the name Microsoft uses for SolarWinds malware – the attackers ‘used broad role allocations, permissions that exceed the role requirements and in some cases abandoned accounts and applications that should not have had permissions at all,’ says Weinert .
Weinert admits that the SolarWinds hack was a “significant and advanced attack”, but the techniques they use can significantly reduce the risk or reduce it with best practices.