Cybersecurity Threat Advisory 0070-20: Microsoft Update to Global Intrusion Campaign
Microsoft has released additional information from their investigation into the SolarWinds Orion incident. Part of their investigation revealed that the threat actors execute multiple levels of privilege escalation and authentication theft after initial compromise through the Orion application.
Technical detail and additional information
What is the threat?
As part of their investigation into the SolarWinds Orion compromise, Microsoft discovered that after the malicious application is executed, it performs multiple levels of privilege escalation, certificate theft, and ADFS key extraction within the network. In addition to ADFS activity, they have also identified anomalous SAML authentications and API activity in Microsoft Cloud that originate from organizations directly impacted by the SolarWinds breach. Information released from additional organizations, such as the NSA and CISA, corroborate these findings and indicate that malicious SAML tokens have been identified across multiple third-party cloud providers. These fraudulent SAML tokens are used to access resources that require authentication, such as email or SharePoint, and can also be used to exfiltrate that data from the network.
What is the exposure or risk?
Even if an organization is not directly affected by the SolarWinds Orion compromise, they still are at risk to secondary threats from third parties that they are in business with that could have been compromised. With authentication mechanisms being compromised through an initial exploit, it is possible for attackers to steal authentication information from a vendor or partner and utilize them in a second-level attack via trusted applications or devices on a network.
What are the recommendations?
As part of their ongoing updates, Microsoft has issued system hardening guides and cleanup actions for affected Azure networks as well as general guidelines for identifying suspicious authentication token activity. These guidelines can be found below.
If your organization has vendor owned devices in your network, we recommend the following:
- Auditing these systems for vulnerabilities and methods for hardening the system around these weaknesses.
- Review accounts granted to trusted third parties to ensure that an appropriate level of access has been granted.
- If possible, update the credentials used by these accounts as soon as possible due to the risk of authentication tokens being compromised in the vendor’s network.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.