Cybersecurity firm FireEye has released a whitepaper detailing the techniques used by the SolarWinds hackers inside the networks of companies they breached. Along with the report, the firm has also released a free tool on GitHub named Azure AD Investigator. This tool helps companies worldwide determine if the SolarWinds hackers (also known as UNC2452) used any of the techniques mentioned in the report inside their networks. In this article at The Register, Kieren McCarthy explains the FireEye report’s details and provides information about Azure AD Investigator.
Techniques Used by Hackers
The report highlights that the following are the primary techniques used by hackers:
- Hackers first stole the Active Directory Federation (AD FS) token-signing certificate and used it to forge tokens for arbitrary users. This helped the hackers bypass multi-factor authentication mechanisms.
- They modified or added trusted domains in Azure AD to add a new federated Identity Provider (IdP) that was further controlled by attackers. This allowed them to forge tokens for arbitrary users and created a backdoor on the network.
- Further, they compromised the credentials of on-premises user accounts synchronized to Microsoft 365 with privileged directory roles, such as Global Administrator or Application Administrator.
- Hackers hijacked an existing Microsoft 365 application by adding rogue credentials to use legitimate permissions assigned to the application, such as the ability to read emails, send emails as an arbitrary user, and access user calendars.
How Does the App Help
“Fortunately, the paper gives a detailed rundown on how to search logs and what to look for to see if an account has been compromised, complete step with instructions for how to cut access and provide additional protection in future,” explains Kieren. When you add credentials to an app to log in to Microsoft 365, it is documented more uniquely than an interactive user sign-in. You can view these sign-ins by navigating to the Azure Active Directory blade. You must review all sysadmin accounts, in particular, to see if any sign-in has been configured or added to a specific service principal and remove them. Additionally, you must also search for suspicious application credentials and remove them.
Read the original article by clicking on https://www.theregister.com/2021/01/19/fireeye_solarwinds_code/?mc_cid=4a280506c3&mc_eid=68e4899cec.