The SolarWinds Hackers Used Tactics Other Groups Will Copy

The supply chain threat was just the beginning.
people at Microsoft Azure booth
Photograph: Feature China/Bancroft Media/Getty Images

One of the most chilling aspects of Russia's recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this wasn't the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims' networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.

The SolarWinds hackers used their access in many cases to infiltrate their victims' Microsoft 365 email services and Microsoft Azure Cloud infrastructure—both treasure troves of potentially sensitive and valuable data. The challenge of preventing these types of intrusions into Microsoft 365 and Azure is that they don't depend on specific vulnerabilities that can simply be patched. Instead hackers use an initial attack that positions them to manipulate Microsoft 365 and Azure in a way that appears legitimate. In this case, to great effect.

"Now there are other actors that will obviously adopt these techniques, because they go after what works," says Matthew McWhirt, a director at Mandiant Fireeye, first identified the Russian campaign at the beginning of December.

In the recent barrage, hackers compromised a SolarWinds product, Orion, and distributed tainted updates that gave the attackers a foothold on the network of every SolarWinds customer who downloaded the malicious patch. From there, the attackers could use their newfound privileges on victim systems to take control of certificates and keys used to generate system authentication tokens, known as SAML tokens, for Microsoft 365 and Azure. Organizations manage this authentication infrastructure locally, rather than in the cloud, through a Microsoft component called Active Directory Federation Services.

Once an attacker has the network privileges to manipulate this authentication scheme, they can generate legitimate tokens to access any of the organization's Microsoft 365 and Azure accounts, no passwords or multifactor authentication required. From there, the attackers can also create new accounts, and grant themselves the high privileges needed to roam freely without raising red flags.

“We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Microsoft said in a December blog post that linked these techniques to the SolarWinds hackers. “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”

The National Security Agency also detailed the techniques in a December report.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML tokens could be forged, granting access to numerous resources.”

Microsoft has since expanded its monitoring tools in Azure Sentinel. And Mandiant is also releasing a tool that makes it easier for groups to assess whether someone has been monkeying with their authentication token generation for Azure and Microsoft 365, like surfacing information on new certificates and accounts.

Now that the techniques have been exposed very publicly, more organizations may be on the lookout for such malicious activity. But SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as some researchers have warned for years. In 2017, Shaked Reiner, a researcher at the corporate defense firm CyberArk, published findings about the technique, dubbed GoldenSAML. He even built a proof of concept tool that security practitioners could use to test whether their clients were susceptible to potential SAML token manipulation.

Reiner suspects that attackers haven't used GoldenSAML techniques more often in the past few years simply because it requires such a high level of access to pull off. Still, he says he has always viewed increased deployment as inevitable, given the technique's efficacy. It also builds on another well known Microsoft Active Directory attack from 2014 called Golden Ticket.

“We did feel validated when we saw that this technique had been used by the SolarWinds attackers, but we weren’t really surprised,” Reiner says. “Even though it’s a difficult technique to perform, it still gives attacker a lot of crucial advantages that they need. Because the SolarWinds attackers used it so successfully I'm sure that other attackers will note this and use it more and more from now on.”

Along with Microsoft and others, Mandiant and CyberArk are now working to help their clients take precautions to catch Golden SAML-type attacks sooner or respond more quickly if they find that such a hack is already underway. In a report published on Tuesday, Mandiant details how organizations can check whether these tactics have been used against them, and set up controls to make it harder for attackers to use them undetected in the future.

“Previously we have seen other actors use these methods in pockets, but never to the scale of UNC2452,” the group that perpetrated the SolarWinds attack, says Mandiant's McWhirt. “So what we wanted to do is put together a sort of concise playbook for how organizations investigate and remediate this and harden against it.”

For starters, organizations must make sure their “identity provider services,” like the server that holds token signing certificates, are configured correctly and that network managers have adequate visibility into what those systems are doing and being asked to do. It's also critical to lock down access for authentication systems so that not too many user accounts have privileges to interact with and modify them. Finally, it's important to monitor how tokens are actually used to catch anomalous activity. For example, you might watch for tokens that were issued months or years ago, but only sprang to life and started being used to authenticate activity a few weeks ago. Reiner also points out that attackers' efforts to cover their tracks can be a tell for organizations with strong monitoring; if you see a token being widely used, but can't locate the logs from when the token was issued, it could be a sign of malicious activity.

“As more organizations transfer more and more of their systems to the cloud, SAML is the defacto authentication mechanism being used in those environments,” CyberArk's Reiner says. “So it's really natural to have this attack vector. Organizations need to be ready, because this is not really a vulnerability—this is an inherent part of the protocol. So you're still going to have this issue in the future."


More Great WIRED Stories