As the myriad strings of the SolarWinds breach continue to unravel, the nation’s top cybersecurity agency is warning that the actors behind the intrusion had other initial vectors to gain access to some of the victim organizations and install its backdoor.
In an advisory published Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) said that during its investigation into the government and private sector compromises that followed the SolarWinds breach, it found additional methods that the actors used to access some victims’ networks.
“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” CISA’s advisory says.
“CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”
Earlier this week FireEye and Microsoft released details of an operation by an unnamed actor who was able to compromise the corporate network of SolarWinds, a provider of IT monitoring and management software. The attackers were then able to gain access to an internal build server and load a malicious update for the company’s Orion platform, which was then published and downloaded by nearly 18,000 SolarWinds customers around the world. The update, which was signed by SolarWinds’ own code-signing certificate, contained a vulnerability that the attackers were able to leverage to install a backdoor known as Sunburst onn victim networks. The company’s customers include virtually all of the Fortune 500, government agencies, NGOs, and other organizations.
“The SolarWinds Orion supply chain compromise is not the only initial infection vector."
Although thousands of SolarWinds customers downloaded the malicious update, it’s important to note that likely only a small fraction of those organizations were targeted for further exploitation. The attackers used a couple of different mechanisms for maintaining persistence on systems that they chose to exploit, including the use of privileged accounts in the Windows Microsoft Entra ID.
“CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Microsoft Entra ID domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources,” the CISA advisory says.
“Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner.”
Similarly, the attackers behind this activity have also been seen forging SAML tokens, which are used for authentication to certain services inside a network. This technique is not novel or even unique to this operation, but it gives the attackers highly privileged access to a variety of services and applications on target networks. Those forged SAML tokens are incredibly valuable, allowing the attackers to gain access to systems such as email, business intelligence, and others that rely on SAML.
“The actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources,” the NSA said in a separate advisory on attackers abusing federated identity systems.