News

CrowdStrike Exec Points to Active Directory 'Structural Problems' in Senate Solorigate Hearing

• By Kurt Mackie
• 02/26/2021

Microsoft's Active Directory authentication solution got notably skewered during a Feb. 23 U.S. Senate hearing on the SolarWinds Orion software hack.

The hearing by the Senate Select Committee on Intelligence focused on how a software implant and other methods went undetected, enabling an espionage campaign that affected nine federal agencies and 100 companies, per a White House estimate. The hearing included testimony from four software company heads, who also answered senators' questions about the attack.

A common theme associated with the comments was whether software security breaches should be legally mandatory for organizations.

A video recording of the hearing is available on demand at this page.

Amazon Was a No-Show
The executives in the hearing included Kevin Mandia, FireEye's CEO; Sudhakar Ramakrishna, SolarWinds' CEO; Brad Smith, Microsoft's president; and George Kurtz, CrowdStrike's president and CEO.

Notably absent from the hearing was a representative from Amazon Web Services (AWS). Amazon had been invited but declined to attend the hearing, a fact that got rued by most of the senators in their opening comments.

The discussions included a mention that U.S.-based servers had been used to obscure the sophisticated attacks, which are presumed to have come from a nation-state actor. U.S. officials have alleged Russia was involved, although officials there have denied it.

During the hearing, no one specifically said that servers hosted by AWS services were used in the Solorigate attacks, although possibly that was the reason why the senate panel had invited Amazon.

SolarWinds Orion Not Sole Attack Avenue
SolarWinds' Orion management software was subject to a supply-chain attack in which code was inserted at the software build stage to establish a compromise point for espionage purposes, typically targeting e-mail services. The attack, which affected government agencies and software companies, was first detected in December, but it had a several months-long gestation period beforehand.

Initial reports had just pointed to the SolarWinds Orion software compromise as the security issue that got exploited. However, the attackers used multiple other methods, including password spray methods to guess passwords and gain credentials. They also tapped old software with too many permissions and Active Directory Federation Services (ADFS), a Windows Server role, to gain access privileges to Microsoft 365 e-mail services. These other attack methods were noted back in January by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Microsoft has also acknowledged that ADFS used on the local infrastructure of the Solorigate victims was leveraged in the attacks. It has recommended using its Azure AD service instead. The implication from Microsoft, though, seemed to be that compromised organizations had just misconfigured ADFS, rather than that ADFS has inherent security issues.

Active Directory 'Architectural Limitations'
However, comments by CrowdStrike's Kurtz (PDF download) were more pointed. He characterized ADFS as having "architectural limitations" that were leveraged in a "Golden SAML attack" as part of the Solorigate efforts (also known as the "Stellar Particle campaign"):

Significantly, one of the most sophisticated aspects of the StellarParticle campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft's Active Directory Federation Service credentialing and authentication process. The Golden SAML attack leveraged by StellarParticle actors allowed them to jump from customers' on-premise environments and into their cloud and cloud-applications, effectively bypassing multi-factor authentication.

Kurtz added that the architectural flaws in Microsoft's authentication solutions assure that more breaches will come. These flaws will permit attackers to "impersonate most anybody on a network, gain the permissions needed to perform any actions on the network, bypass multi-factor authentication entirely and, every bit as devastating as it sounds, have the ability to sign in as a compromised user no matter how many times that user resets their password," he explained.

Microsoft should "address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely," Kurtz added. Alternatively, "a more community-driven approach to authentication" should be adopted.

CrowdStrike got involved in the Solorigate investigations because it was asked for help by SolarWinds. However, CrowdStrike also had been indirectly targeted. It happened through a "third party IT reseller that managed Microsoft licenses," Kurtz explained.

"The incident involved abnormal activity in the Microsoft Azure account the reseller uses to validate Microsoft customer licenses via API with Microsoft," he said.

CrowdStrike wasn't harmed by this attack venue. However, Kurtz noted that many companies and government agencies routinely rely on such vendors, making it a broad problem for consideration.

Microsoft's Testimony
Microsoft's Smith appealed to broad information sharing about security breaches and explained that Microsoft was first alerted to the attacks by FireEye. He explained that "all of the attacks" identified by Microsoft had started on servers in organizations, which limited Microsoft's detections.

"And yet we only have direct visibility to the attack when it then moved to the cloud," Smith said, according to testimony (PDF download). "As a result, customers that haven't yet migrated to the cloud are more likely to be continued and undiscovered victims."

The hearing involved discussion between senators and executives. Consequently, Smith didn't directly address Kurtz's claims about Active Directory's alleged structural problems. He did suggest, though, that the use of forged SAML tokens was just one approach used by the attackers.

"As it turns out, however, the SAML token generation approach was only used by the Russian attackers 15% of the time among the victims we have identified," Smith said, per his testimony. "In the other 85% of cases, the Russians used a variety of other methods to obtain the credentials they needed to access O365 from an on-premises network."

In general, Smith advocated for "zero trust" network principles, closer government-industry collaboration and mandatory information sharing about security breaches in his senate testimony.

Smith offered a more nationalistic view in a Feb. 23 Microsoft blog post, where he suggested that the lessons of Solorigate were such that "the Pentagon needs to move more quickly to use, secure and adapt commercial advances for military applications."

Other Views
Testimony from the other senate panelists also was interesting, particularly the comments by Mandia (PDF download). In his verbal comments, he said that about 17,000 companies may have been compromised. He noted that the attackers were able to use the software implant in SolarWinds' Orion product to shut off security software and avoid detection. He also surmised that in addition to its other tools, the attackers probably had zero-day software exploits on hand.

Ramakrishna had been hired at SolarWinds after the attacks were detected in December. He had little to say in his testimony (PDF download). However, he did note that the supply-chain attack code (which he called "Sunspot") was added to the Orion product sometime between March 2020 and June 2020. He characterized code such as Sunspot as posing a great risk for more supply-chain attacks in the future.

"We believe that the entire software industry should be concerned about the nation state attack as the methodologies and approaches that the threat actor(s) used can be replicated to impact software and hardware products from any company, and these are not SolarWinds specific vulnerabilities," Ramakrishna said in his testimony.