Microsoft and Microsoft 365 customers are at the center of a massive, persistent Russian cyberattack breaching US government and large commercial environments. Since so much data, email traffic and identities are contained within M365, cracking all three has been a major attack goal – one unfortunately achieved in far too many cases.
The attacks began this past March as COVID was first getting its legs, when nation-state cybercriminals from Russia breached SolarWinds’ Orion management system with over 300,00 customers, some 18,000 of which were compromised. The hackers also reportedly pilfered through SolarWinds’ M365 files. From there it was off to the races.
The criminals quietly went after Microsoft itself, and many of its M365 customers had their tenants breached, including the US Commerce Department’s National Telecommunications and Information Administration (NTIA). Here, hackers reportedly from the Russian intelligence service hacked M365 authentication which wasn’t fully protected by multi-factor authentication (MFA), and once in monitored M365 Exchange email literally for months – completely undetected. The attacks were purposely under the radar, allowing them to covertly expand their grip on breached organizations while attacking new ones.
All this wreckage is from one little file – SolarWinds.Orion.Core.BusinessLayer.dll “The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks,” Microsoft wrote in its Analyzing Solorigate – The Compromised DLL File That Started a Sophisticated Cyberattack blog. “With a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a wide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.”
Azure Also Cracked
Azure and Azure Active Directory (AD) are keys to Microsoft cloud and M365 identities, and these were targets as well. Here, the cybercriminals forged authentication tokens representing Azure accounts with high-level privileges, the Microsoft Security Research Center disclosed. Without MFA protecting them, these tokens can easily crack privileged Azure AD accounts, and those compromised credentials can do further damage.
Boring Dangerously Deep into the Microsoft Environment
Breaching the perimeter is just the beginning. Once they’ve broken in, the hackers leverage the high-level administrative permissions and privileges to fully access a global admin account and use that account’s trusted SAML token signing certificate. This control allows the hacker to forge new SAML tokens that appear to come from existing users and accounts, and here the obvious sweet spot is fully controlling highly privileged accounts.
“Anomalous logins using the SAML tokens created by the compromised token signing certificate can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization,” Microsoft said. “In other cases, service account credentials had been granted administrative privileges; and in others, administrative accounts may have been compromised by unrelated mechanisms. Typically, the certificate is stored on the server that provides the SAML federation capabilities; this makes it accessible to anyone with administrative rights on that server, either from storage or by reading memory.”
While all this is plenty scary, the compromise of the most privileged credentials is truly terrifying. “Using the global administrator account and/or the trusted certificate to impersonate highly privileged accounts, the actor may add their own credentials to existing applications or service principals, enabling them to call APIs with the permission assigned to that application,” Microsoft warned.
Land and Expand
Once in a tenant, the cybercriminals expanded their reach, either by creating new federation trusts, or tricking an established federation trust to accept new tokens equipped with cybercriminal-owned certificates. And of course, the criminals’ administrator privileges could easily grant additional permissions.
The cybercriminals are clearly picking the most fruitful targets. “The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion,” Microsoft wrote in its Customer Guidance on Recent Nation-State Cyber Attacks blog. “While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures.”
Fighting Solorigate Infections
Battling what Microsoft calls Solorigate starts with identifying the malicious file, and either blocking it or getting rid of it. Here is what Microsoft recommends:
- “Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected endpoint might have been compromised.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.”
Microsoft has other recommendations for M365 shops. As expected, step one is running anti-virus. Other steps Microsoft advises include:
- “Follow the best practices of your identity federation technology provider in securing your SAML token signing keys. Consider hardware security for your SAML token signing certificates if your identity federation technology provider supports it. Consult your identity federation technology provider for specifics. For Active Directory Federation Services, review Microsoft’s recommendations here: Best Practices for Securing ADFS
- Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, JIT/JEA, and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles, like Global Administrator, Application Administrator, and Cloud Application Administrator.
- Ensure that service accounts and service principals with administrative rights use high entropy secrets, like certificates, stored securely. Monitor for changes to secrets used for service accounts and service principals as part of your security monitoring program. Monitor for anomalous use of service accounts. Monitor your sign ins. Microsoft Azure AD indicates session anomalies, as does Microsoft Cloud App Security if in use.”
How CoreView Helps
CoreView addresses the Solorigate and other hacks in a number of ways, including:
MFA – Find all accounts without MFA and create a workflow to automate MFA enablement.
Least Privilege Access – Admins are the sought after targets, so limiting the number of admins reduces that threat surface. CoreView finds all global admins and can reduce their privileges to only what is needed.
Auditing, Analysis and Forensics – Once breached, CoreView can discover every user and admin action taken afterward, including how and where the malicious file was shared.
Find the DLL – CoreView can make sure the compromised files have not made it into file servers, SharePoint, or SharePoint Online (including Teams and OneDrive). CoreScan can locate the malicious files, or CoreView users can simply search in the audit log for objectIDs below:
File Name: SolarWinds.Orion.Core.BusinessLayer.dll
File Hash (MD5): b91ce2fa41029f6955bff20079468448
Check Your CIS Compliance and Know EVERYTHING About Your Tenant’s Security
Don’t fly blind when it comes to M365 security flaws. The Microsoft 365 Security Health Check provides insight no $500 an hour consultant can offer, including:
- The State of Multi-Factor Authentication and Password Safety
- Who Has Dangerous Privileges
- How your company’s data is really being managed
- Email Security
- Audit logs and paths
- Where Security and Compliance Problems Lay
- And What To Do About It!
Sign up for your FREE M365 Security Health Check here.