EXECUTIVE SUMMARY:
The SolarWinds discovery in 2020 shocked enterprises and federal agencies around the world. New data reveals that the hackers responsible for the breach are now interested in compromising cloud solution companies. Their aim is to steal information pertaining to their specific interests, and to gain network access to new enterprises.
The research findings came to light earlier this week, and reflect the efforts of hundreds of consultants, analysts and engineers. Experts have stated that a core group of satellite criminal gangs may be operating alongside the perpetrators of the SolarWinds breach.
Identifying responsible parties
After a thorough investigation of the SolarWinds security incident, researchers managed to break the hive of threat actors into two distinct groups. The first group, known as UNC2652, focused on diplomatic entities and leveraged phishing emails. The second group, known as UNC3004, attempted to gain entry into both federal and private entities via a cloud service provider and a managed service provider.
This SolarWinds discovery showed just how advanced the threat actors were in organizing their activities and in leveraging a combination of third parties and trusted vendor relationships for exploitative purposes.
Evidence indicates that cloud service providers experienced a series of compromises. In turn, these cloud security compromises enabled the attackers to obtain privileged access and credentials, resulting in a large-scale compromise of downstream customers.
Hackers’ tactical maneuvers
The SolarWinds attack reflects formidable creativity. Highly developed TTPs (tactics, techniques and procedures) were in-play.
Attackers relied on a residential IP address, purchased on the dark web, to give the appearance that a specific individual had logged into environments from a known location. This SolarWinds discovery provides indication of how threat actors complicated and obfuscated their operations.
In another new SolarWinds discovery, researchers observed compromise to a series of user accounts within a given environment. Hackers then assigned specific accounts unique functions. For example, one account would be designated for reconnaissance, while others were used for data theft or further components of the larger SolarWinds scheme.
The ingenuity of the attackers hasn’t diminished. Since 2020, researchers state that groups linked to the SolarWInds attackers have continued to develop new means of compromising large numbers of enterprises simultaneously.
Advanced tradecraft
The aforementioned tricks barely begin to skim the surface of the pool of advanced tactics used by the SolarWinds hackers. If interested in technical information, other advanced tactics used included:
- Leveraging credentials stolen by hackers via the Cryptobot malware. This bot steals system and web browser credentials, along with cryptocurrency wallets. Making use of these capabilities enabled the primary group of threat actors to compromise targets despite the fact that they did not use a hacked service provider.
- Compromising enterprise spam filters or other software using application impersonation privileges. This enabled hackers to access emails or other forms of data from any account on a compromised network, saving the hackers from having to break into each account individually.
- The abuse of residential proxy services or geo-located cloud providers, such as Azure, in order to reach end targets. Upon reviewing access logs of hacked companies, administrators observed connections stemming from reputable local ISPs or cloud providers existing in the same geographic locale as the companies. As a result, hackers managed to disguise intrusions.
- Hackers managed to find creative means of bypassing security restrictions. This included extracting virtual machines to map out routing configurations of interesting networks.
- SolarWinds attackers also relied on a custom downloader, known as Ceeloader.
- Hackers gained access to an active directory stored in a target’s Azure account, and leveraged admin tools for the purpose of stealing cryptographic keys, which would generate tokens capable of helping hackers bypass two-factor authentication. In turn, this provided hackers with what’s known as a Golden SAML, a key that unlocks every service that depends on the Security Assertion Markup Language; the protocol that enables 2FA to function correctly.
SolarWinds discovery: New reporting
In October, Microsoft reported that SolarWinds-related hackers managed to compromise CSPs for the purpose of exploiting trusted relationships between organizations, governments, think tanks, and other enterprises. This highlights the importance of vetting emails, calls, and software updates from providers.
Researchers have also discovered that, despite top-notch hacking skills, the SolarWinds attackers did make some mistakes. For example, the hackers attempted to use binaries for the purpose of uploading files to the Mega cloud storage provider. In so doing, a tool deployed failed to execute due to a bug inserted into the process upon the renaming of the binary.
The new SolarWinds campaign
According to Microsoft, the hackers responsible for the SolarWinds cyber attack are launching a fresh initiative to compromise global networks. The new activities involve targeting the tech supply chain; from resellers to providers of cloud technologies.
For more SolarWinds discovery information, click here. Lastly, get access to exclusive stories and more when you sign up for the CyberTalk.org newsletter.