Getty Images/iStockphoto
CISA Insights on APT Compromise of Microsoft 365 Via Password Exploits
The APT actors behind the SolarWinds attack are leveraging compromised Microsoft 365 and Azure applications, as well as password exploits and API access to compromise cloud resources.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert, warning that the advanced persistent threat (APT) actors behind the SolarWinds cyberattack are also leveraging compromised Microsoft 365 and Azure Applications to access cloud resources.
Specifically, CISA is currently investigating instances of threat actors potentially gaining initial access into victims’ networks through password guessing, password spraying, and or exploiting inappropriately secured administrative or other service credentials, in lieu of using compromised SolarWinds Orion products.
The provided insights complement previously released guidance on the massive SolarWinds cyberattack first disclosed in mid-December, where the hackers trojanized previous software updates to the IT monitoring and management software, Orion.
As such, the actors gain access to a host of environments, including multiple federal government agencies and FireEye. The hackers are highly sophisticated and targeted in their attacks on supply-chain vendors, using a “light malware footprint” to hide their malicious activities.
Nation-state actors with ties to Russia are likely behind these attacks, which include the abuse of authentication mechanisms.
The latest alert warns these hackers not only successfully exploited SolarWinds -- CISA found evidence of initial access vectors in other platforms. The insights address the APT activity used in these efforts, irrespective of the initial access vector used for the attacks.
Hackers are leveraging compromised applications in a victim’s Microsoft 365 or Azure environment, in addition to separate credentials and API access to cloud resources of both private and public sector entities.
Microsoft also provided insights on the latest attacks, which they break down into four elements follwoing an initial compromise of an on-premise identity solution.
The hackers first forge a trusted authentication token using access resources trusted by the on-premise identity provider. Next, the actor will use forged authentication tokens to create configuration changes in the Service Provider, like the Azure AD, to establish a foothold.
“The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud),” according to the insights.
In the third stage, a hacker acquires an OAuth access token for the application using forged credentials they’ve added to an existing application service principal, then calling on APIs with permissions assigned to that application.
Lastly, once they’ve firmly established access, the attackers use “Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).”
CISA has observed the “threat actor moving from user context to administrator rights for privilege escalation within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation, to enumerate the Microsoft Active Directory Federated Services certificate-signing capability.”
These attacks include three key features: compromising or bypassing identity tech, leveraging forged authentication tokens to proliferate across Microsoft cloud environments, and using privilege access accounts to exploit victims’ cloud environments to establish persistent presence for API-based access.
“This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments,” CISA officials warned.
“The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication,” they added. “This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally through trust boundaries, evade defenses and detection and steal sensitive data.”
CISA warned that these types and levels of compromise will make it difficult for security leaders to remediate. Thus, administrators will need to coordinate a multi-disciplinary effort to regain administrative control of these accounts before attempting to recover an exploited network.
The insights provide step-by-step mitigation techniques for each stage of the attack, as well as network functions and telemetry in need of review when a network compromise is suspected.
If an organization has identified a compromise through SolarWinds Orion product or another threat actor, such as the latest detailed attack, administrators will need to identify all follow-up activities for their on-prem networks through a fine tuned approach and host-based forensics, CISA explained.
Both Microsoft O365 and M365 are equipped with built-in functions to detect unusual activity, which CISA explained can help detect any unusual activity. CISA also developed a tool called Sparrow to help detect any possible compromised accounts and applications in the Azure or M365 environments.
“The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors,” according to guidance. “It’s neither comprehensive nor exhaustive of available data.”
“It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications,” it added.
CISA also provided insights on the CrowdStrike Azure Reporting tool, as well as Hawk, an open-source, PowerShell-driven tool that network defenders can leverage to quickly gather data from O365 and Azure for security investigations.