SolarWinds hackers appeared to have targeted cloud services as a key objective, potentially giving them access to many, if not all, cloud-based services.
This is an account in GeekWire written by Christopher Budd, a freelance security consultant who previously worked in the Microsoft Security Response Center for 10 years.
“If we decode the various reports and connect the dots, we can see that SolarWinds attackers have targeted authentication systems on compromised networks, so that they can connect to cloud-based services like Microsoft Office 365 without raise the alarm, ”Budd wrote. Worse yet, the way they go about it can potentially be used to access many, if not all, of an organization’s cloud-based services. ”
As a result, those who assess the impact of attacks must examine not only their own systems and networks, but also their cloud-based services for evidence of compromise. And that means defending against attacks means increasing the security and oversight of cloud service authentication systems, “from now on.”
Budd cited these top takeaways:
After establishing a foothold in a network, SolarWinds attackers target systems that issue proof of identity used by cloud-based services; and they steal the means used to issue iDs;
Once they have this ability, they are able to create fake ID cards that allow them to impersonate legitimate users, or create malicious accounts that appear legitimate, including accounts with administrative access;
Because IDs are used to provide access to data and service by cloud-based accounts, attackers are able to access data and email as if they were legitimate users.
SAML Authentication Method for Targeted View Cloud Services
Cloud-based services use an authentication method called Security Assertion Markup Language (SAML), which issues a token that is “proof” of a legitimate user’s identity to the services. Budd found, based on a series of posts on the Microsoft blog, that the SAML service was targeted. While this type of attack was first observed in 2017, “this is the first major attack with this type of wide visibility that targets cloud-based authentication mechanisms,” Budd said.
In response to a question that Budd asked Microsoft about whether the company was aware of the vulnerabilities that led to this attack, he got this response: “We have not identified any Microsoft product vulnerabilities. or cloud service in these surveys. Once in a network, the intruder then uses the foot to gain the privilege and use that privilege to access it.
A response from the National Security Administration was similar, asserting that the attackers, by “abusing federated authentication”, were not exploiting any vulnerabilities in the Microsoft authentication system, “but rather abusing the trust established through the integrated components.
Additionally, although the SolarWinds attack came through a Microsoft cloud-based service, it involved the open SAML standard which is widely used by cloud-based service providers, not just Microsoft. “SolarWinds attacks and these type of SAML-based attacks against cloud services in the future may involve non-Microsoft SAML providers and cloud service providers,” Budd said.
US secret service sees attack on Russian cuddly bear
US intelligence officials believe the attack originated in Russia. Specifically, according to a report by The Economist, the group of assailants known as the Comfortable Bear, which was part of the Russian intelligence service, was responsible. “It appears to be one of the greatest acts of digital espionage ever against America,” the account said.
The attack demonstrated “high-level operational tradecraft,” according to FireEye, a cybersecurity company that was also a victim itself.
America has tended to categorize and respond to cyber attacks that have taken place over the past decade according to the objectives of the attackers. She saw intrusions designed to steal secrets – old-fashioned espionage – a fair game under the United States National Security Agency. But attacks meant to cause harm, like the North Korean attack on Sony Pictures in 2014, or China’s theft of trade secrets, are seen as crossing a line, according to the account. Thus, sanctions have been imposed on many Russian, Chinese, North Korean and Iranian hackers.
The solar winds attack seems to have created its own category. “This effort to affix the standards to a secretive and chaotic arena of competition has failed,” the Economist account said. “The line between espionage and subversion is blurred. ”
One observer notes that America has become less tolerant of “what is allowed in cyberspace” since the Personnel Management Officer (OPM) hack in 2015. This hack violated opm networks and exposed the files of $ 22.1 million related to government employees, others who had undergone background checks, and friends and family. State-sponsored hackers working for the Chinese government were suspected to be responsible.
“Such large-scale espionage” would now be at the top of the list of operations they deem unacceptable, “said Max Smeets of the Zurich Center for Security Studies.
“On-Prem” software considered more risky
The SolarWinds Orion product is installed “on-prem”, which means it is installed and run on computers at the organization’s premises using the software. These products carry security risks that IT leadership must carefully assess, a recent account in eWeek suggested.
SolarWinds attackers apparently used a compromised software patch to get in, suggested William White, BigPanda’s chief security officer and IT manager, which offers AI software to detect and analyze problems in computer systems. “With on-prem software, you often have to grant high permissions or highly privileged accounts for the software to run, which creates risk,” he said.
Because the SolarWinds attack was apparently executed through a software patch, “Ironically, the most exposed SolarWinds customers were the ones who were actually diligent about installing Orion patches,” White said.