CISA Points to APT Attack Methods Besides 'Solorigate' that Affected Microsoft 365, Azure Services
The Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an announcement noting that an advanced persistent threat (APT) actor associated with the SolarWinds Orion attacks used their ability to create credentials to compromise a victim's Microsoft 365 and Azure services, but they didn't always tap the so-called "Solorigate" vulnerability to do so.
The announcement by CISA, part of the U.S. Department of Homeland Security, isn't wholly new. CISA had issued an emergency directive on the matter last month. However, it recently updated its announcements to explain that other attack methods besides the SolarWinds supply-chain compromise, dubbed "Sunburst" or "Solorigate," were used by the APT actor. These attacks have been widely attributed to a foreign spy operation, with Russia being named, although officials there have denied such allegations.
Active Directory Federation Services Targeted
CISA indicated that local on-premises federation services, such as Active Directory Federation Services (a Windows Server role), were compromised to gain access and subsequently compromise Microsoft services (both Microsoft 365 and Azure) used by victims.
Besides Solorigate, other attack methods used by the attacker included simple password guessing, password spraying (testing easily guessed passwords across all end users) and tapping unsecured admin credentials.
Apparently, the attacks weren't all due to the SolarWinds breach. Here's CISA characterization of the matter in its Alert AA21-008A, which offered a checklist of security measures for IT pros to consider:
Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims' enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Supernova). However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.
The APT actor also used "native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability." This approach allowed the attacker to forge OAuth authentication tokens and then "move laterally to Microsoft Cloud environments."
By such means, the attacker was able to "bypass identity controls and multi-factor authentication," evade detection and steal sensitive data, CISA indicated.
CISA's Alert AA21-008A described three tools that could be used to determine such network compromise. Sparrow is CISA's own free tool for detecting possibly compromised accounts and applications for users of Microsoft 365 and Azure services. This tool is focused on rooting out "identity- and authentication-based attacks."
Another tool is Hawk, "an open-source, PowerShell-driven, community-developed tool" that can get security investigation data from Office 365 and Azure. Hawk is "not an official Microsoft tool," though, according to its GitHub page description.
CISA also pointed to CrowdStrike's Azure Reporting Tool as a means of analyzing Microsoft 365 and Azure data. It's also a free and open source tool, and it somewhat overlaps with Sparrow, but Sparrow differs by "looking for specific indicators of compromise associated with the recent attacks," CISA explained.
Log Data Limitations
These tools are used for forensic purposes, detecting if an attack had happened in the past. Unfortunately, though, the retention of cloud services log data isn't as extensive as it is for on-premises solutions. Moreover, even Microsoft's commonly used management tools may not retain information long enough to carry out the forensics properly.
"Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL," CISA explained.
Organizations will need an industry-standard security information and event management (SIEM) tool to carry out such forensics. To get access to the long-term data, organizations need Microsoft 365 E5 licensing, as the E3 plan just allows for "90 days of auditing." CISA also noted that an Azure Premium P1 or P2 license is needed to access the log data.
Microsoft's other, more commonly used management tools don't have the ability to get the long-term data needed to carry out such forensics, CISA suggested:
Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards. However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.
In general, CISA has been investigating APT infiltrations "where there was no SolarWinds exploitation activity observed," according to a Jan. 7-revised Alert AA20-352A. It also mentioned a bypass of Cisco's Duo multifactor authentication protection using a stolen key as another attack method, a finding attributed to cybersecurity firm Volexity. According to Volexity's description, this approach was used to access a user's Outlook Web App service at a think tank.
Microsoft has been an investigator of these APT activities, but it, too, has been a victim. It recently published extensive advice on some security measures to take. Microsoft refers to the initial supply-chain attack that affected the SolarWinds Orion management software as "Solorigate," although it gets dubbed "Sunburst" by others. Researchers typically describe the subsequent malware stage of the attack as "Supernova."
Microsoft's security advice, authored by Alex Weinert, director of identity security at Microsoft, had suggested that organizations delegating trust to on-premises components could experience a compromise that would also result in compromised Microsoft services. However, CISA's revised advisories seem to be a little more explicit. For instance, CISA specifically pointed to Active Directory Federation Services, used on-premises to connect with Microsoft's services, as one of the targeted elements of the APT attacks.
Overall, though, Weinert did recommend that organizations should switch to using the Azure Active Directory service directly with single sign-on, instead of federation using on-premises solutions.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.