![]() "While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible," FireEye said today. In a report published today, Crowdstrike said that Sunspot was deployed in September 2019, when hackers first breached SolarWinds' internal network. However, the attack is not via the Sunburst backdoor in the SolarWinds Orion software, but via a different malware. Sunspot malware ran on SolarWinds' build server. The hackers accessed builds of the company's Orion software, and then placed malware into software updates sent out to SolarWinds customers between March and June 2020. Highjack an existing Microsoft 365 application by adding a rogue credential to it in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc., while bypassing MFA. GermanSecurity vendor Malwarebytes has now also announced that its Office 365 and Azure systems have been hacked by the same attacker responsible for the SolarWinds attacks.Step 4: Define users for SAML login using Azure AD (both Azure portal and SolarWinds Platform Web Console). Step 3: Complete the identity provider configuration in the SolarWinds Platform Web Console. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator. Step 2: Configure Azure AD to be able to communicate with the SolarWinds Platform. ![]() This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user's password or their corresponding multi-factor authentication (MFA) mechanism. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML).In its 35-page report today, FireEye has detailed in great detail and depth these post initial compromise techniques, along with detection, remediation, and hardening strategies that companies can apply.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |