Microsoft says that the end goal of the SolarWinds supply chain compromise was to pivot to the victims’ cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks.
No new tactics, techniques, and procedures (TTPs) were shared in a blog post published on Monday to provide Microsoft 365 Defender users with threat hunting techniques for investigating Sunburst attacks.
Targets set on cloud resources
Microsoft 365 Defender Team explains, after infiltrating a target’s network with the help of the Sunburst backdoor, the attackers’ goal is to gain access to the victims’ cloud assets.
With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected),
The next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources
The threat actors behind the SolarWinds hack first had to compromise the SolarWinds Orion Platform build system and abuse it to deliver a backdoor injected as a legitimate DLL via the software update system.
Once the DLL is loaded after the application is started, the backdoor would reach out to its command-and-control server and allow the threat actors to infiltrate the network.
Next, they elevate privileges and move laterally through the victim’s network with the end goal of gaining admin privileges or stealing the (private) SAML signing key.
Once this happens, they forge trusted SAML tokens which allow them to access cloud assets and exfiltrate emails from accounts of interest.
Attack chain and unauthorized cloud access mitigation
Microsoft also detailed the step by step procedure used by the attackers to gain access to their victims’ cloud assets:
- Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
- Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
- Stealing the SAML signing certificate (Path 1)
- Adding to or modifying existing federation trust (Path 2)
- Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud
In its guidance highlighting Solarwinds TTP for pivoting to cloud resources, the NSA also shared mitigation measures against unauthorised cloud access which require making it difficult for threat actors to gain access to on-premise identity and federation services.