Free Auditing Tool Helps Detect SolarWinds Hackers' MalwareFireEye Also Describes Hackers' Tools and Techniques
Security firm FireEye has released a free auditing and remediation tool on GitHub that it says can help organizations determine if the hacking group that targeted SolarWinds used similar techniques within their network to gain access to Microsoft Office 365 accounts.
See Also: A CISO’s Guide to Defender Alignment
On Tuesday, FireEye also issued a report that examines some of the techniques and tactics used by the hacking group, which the security firm calls UNC2452.
Also this week, researchers at Symantec reported they uncovered a fourth malware variant, called "Raindrop," used during the SolarWinds attack. The other malware variants were Teardrop, Sunspot and Sunburst (see: 'Raindrop' Is Latest Malware Tied to SolarWinds Hack).
FireEye and SolarWinds
FireEye discovered the SolarWinds supply chain hack Dec. 13, 2020, when it found its penetration tools had been stolen. The attack involved hackers placing a malware backdoor - Sunburst - within SolarWinds’ Orion network monitoring platform, which was downloaded when users updated the software (see: SolarWinds Attack: 'This Hit the Security Community Hard').
Researchers believe Sunburst is used as part of a campaign to help hijack Microsoft Office 365 applications to read victims' emails, send emails from compromised accounts and access users' calendars, FireEye notes.
FireEye says organizations can use its free auditing script, Azure AD Investigator, "to check their Microsoft 365 tenants for indicators of some of the techniques used by UNC2452. The script will alert administrators and security practitioners to artifacts that may require further review to determine if they are truly malicious or part of legitimate activity."
It’s unclear how many systems have been infected by the malware used by the SolarWinds hackers. But SolarWinds has previously noted that an estimated 18,000 organizations, including government agencies, tech firms and other organizations, downloaded the infected software. Hundreds were targeted with follow-on attacks, researchers say (see: US Treasury Suffered 'Significant' SolarWinds Breach)
U.S. intelligence agencies say the attack appears to be a Russian-backed espionage operation.
The auditing tool can spot four attack tactics used by the SolarWinds hackers to move laterally within the Office 365 cloud environment:
- Stealing Office 365 Active Directory Federation Services token-signing certificates to forge tokens used for authentication, which can enable threat actors to gain access to the victim's Office 365 environment without needing the user’s password or their multifactor authentication mechanism;
- Modifying or adding trusted domains in Azure Active Directory to add a new identity that the attacker controls, enabling the hackers to forge tokens for arbitrary users and implant Azure AD backdoors;
- Targeting Microsoft Office 365 with higher access privileges, such as credentials that belong to global system administrators or application administrators;
- Creating a backdoor on Microsoft Office 365 applications to read email, send email as an arbitrary user and access user calendars.
"These findings prove that for most organizations, Microsoft components remain at the heart of an attackers' focus," says Brandon Hoffman, the CISO of security firm Netenrich. "Because most organizations are reliant on Microsoft services and tools for administering their systems, these services are essentially crown jewels. Organizations should always be taking extra care to monitor and thoroughly review these components even when not in a breach scenario."
The fallout from the SolarWinds attack continues to be felt across U.S. federal agencies and the private sector. On Tuesday, security firm Malwarebytes disclosed that it had been targeted by the same threat actors, although it does not use SolarWinds products. Malwarebytes says the hackers exploited a dormant email protection tool (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).