Investigators at the Cybersecurity and Infrastructure Security Agency (CISA) have found evidence that the adversary responsible for the SolarWinds breach and subsequent compromises of other organizations has used other initial access methods in its attacks, including abusing legitimate accounts, sometimes through the use of forged SAML tokens.
In an updated advisory issued Wednesday, CISA said that in some of the incidents its experts have investigated related to the SolarWinds breach they have discovered that the attackers have used methods other than the compromised SolarWinds Orion update to gain a foothold in target networks.
“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors. Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” the advisory says.
When the SolarWinds breach was first disclosed in mid-December, Microsoft officials said that they had seen the adversary use stolen SAML signing certificates to forge SAML tokens. That would allow the attackers to access any internal network resource that trusts those SAML tokens. But that activity was seen as something that happened after the adversary already had access to the network by using the backdoor inserted into the Orion update. CISA’s response teams, which help investigate incidents at federal agencies, have found that this activity can also be a way in, along with other methods.
“CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services,” the CISA advisory says.
"It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered."
Once inside a victim network, the attackers have focused on finding and exfiltrating confidential information. CISA said in its new advisory that the attackers have in some cases specifically targeted the email accounts of incident responders and IT staff members. CISA has released a free tool called Sparrow to help IR teams identify compromised accounts and apps in Microsoft Azure or 365 environments.
Earlier this week, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence issued an advisory on the SolarWinds breach and said the activity was “likely Russian in origin”. The agencies have not attributed the attacks to any specific group in Russia, although security researchers have pointed the finger at APT29, a group known as Cozy Bear. That team is linked to Russian intelligence agencies and has been tied to many high-profile operations in the past, including attacks on U.S. and foreign government agencies, the Democratic National Committee, and a number of non-profits.
Both federal agencies and private companies have been identified as victims of the adversary behind the SolarWinds breach, including the Department of Justice, Department of Commerce, Department of the Treasury, Microsoft, and FireEye. CISA officials emphasized that remediating the incidents caused by this attacker would be a difficult task.
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered,” the CISA advisory says.