Any organizations that used the backdoored SolarWinds network-monitoring software should take another look at their logs for signs of intrusion in light of new guidance and tooling.
In an update and white paper [PDF] released on Tuesday, FireEye warned that the hackers – which intelligence services and computer security outfits have concluded were state-sponsored Russians – had specifically targeted two groups of people: those with access to high-level information, and sysadmins.
But the targeting of those accounts will be difficult to detect, FireEye warned, because of the way they did it: forging the digital certificates and tokens used for authentication to look around networks without drawing much or any attention.
“Detection of forged SAML tokens actively being used against an organization has proven to be difficult,” the white paper notes. “One possibility is to compare entries in the Azure AD Sign-Ins log against the security event logs of the on-premises AD FS servers to ensure that all authentications originated from AD FS.”
It notes however that “technically, every sign-in recorded in Azure AD will have a corresponding event in the on-premises security event logs. However, in real-world environments, this exercise is impractical for most organizations.”
Fortunately, the paper gives a detailed rundown for how to search logs and what to look for to see if an account has been compromised, complete with step-by-step instructions for how to cut access and provide additional protection in future.
“When a credential that has been added to an application is used to login to Microsoft 365, it is recorded differently than an interactive user sign-in,” the paper notes. “In the Azure Portal these logins can be viewed by navigating to Sign-Ins under the Azure Active Directory blade and then clicking the service principal Sign-ins tab… Note that currently these sign-ins are not recorded in the Unified Audit Log.”
Kaspersky Lab autopsies evidence on SolarWinds hackREAD MORE
As for mitigation measures, FireEye suggests broadly: a review of all sysadmin accounts in particular to see if there are any “that have been configured or added to a specific service principal” and remove them, and then search for suspicious application credentials and remove them too.
Search and destroy
The biz has also released a free tool on GitHub it’s calling the Azure AD Investigator that will warn organizations if there are signs their networks were compromised via SolarWinds' backdoored Orion software: there were an estimated 18,000 organizations potentially infected, SolarWinds warned last month; many of them government departments and Fortune 500 companies.
FireEye also warned that it looks as though the hackers prioritized government officials and software companies; the latter because they could provide future routes of attack into other networks.
The report outlined the four “primary techniques” used by the hackers:
- Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users. This bypassed various authentication requirements.
- Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This essentially created a backdoor on the network.
- Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator. This is the targeting of sysadmins.
- Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.
Since FireEye disclosed the hack a month ago, numerous US government orgs including the Commerce Department, Treasury and Justice have discovered they were compromised thanks to a tampered update of the SolarWinds network monitoring software. Microsoft later admitted that its source code had been rifled through.
The attackers were in the systems, undetected, for anywhere up to six months, giving them lots of time to snoop around as well as install hidden holes for future access. The hack is so severe that it formed a significant part of the confirmation hearing for new national intelligence director nominee Avril Haines in Washington DC on Tuesday.
Haines said she had yet to be fully briefed on the hack but did note that the Department of Homeland Security has decided it represented “a grave risk” to government systems and that it was “extraordinary in its nature and its scope.” ®