The variety of techniques used by the SolarWinds hackers was sophisticated yet in many ways also ordinary and preventable, according to Microsoft.
To prevent future attacks of similar levels of sophistication, Microsoft is recommending organizations adopt a “zero trust mentality”, which disavows the assumption that everything inside an IT network is safe. That is, organizations should assume breach and explicitly verify the security of user accounts, endpoint devices, the network and other resources.
As Microsoft’s director of identity security, Alex Weinert, notes in a blogpost, the three main attack vectors were compromised user accounts, compromised vendor accounts, and compromised vendor software.
Thousands of companies were affected by the SolarWinds breach, disclosed in mid-December. The hackers, known as UNC2452/Dark Halo, targeted the build environment for SolarWinds’ Orion software, tampering with the process when a program is compiled from source code to a binary executable deployed by customers.
US security vendor Malwarebytes yesterday disclosed it was affected by the same hackers but not via the tainted Orion updates. The hackers instead breached Malwarebytes by exploiting applications with privileged access to Office 365 and Azure infrastructure, giving the attackers “access to a limited subset” of Malwarebytes’ internal emails.
According to Weinert, the attackers exploited gaps in “explicit verification” in each of the main attack vectors.
“Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network,” Weinert writes.
He argues cloud-based identity systems like Azure Active Directory (Azure AD) are more secure than on-premises identity systems because the latter lack cloud-powered protections like Azure AD’s password protection to weed out weak password, recent advances in password spray detection, and enhanced AI for account compromise prevention.
In cases where the actor succeeded, Weinert notes that highly privileged vendor accounts lacked additional protections such as multi factor authentication (MFA), IP range restrictions, device compliance, or access reviews. Microsoft has found that 99.9% of the compromised accounts it tracks every month don’t use MFA.
MFA is an important control as compromised high privilege accounts could be used to forge SAML tokens to access cloud resources. As the NSA noted in its warning after the SolarWinds hack was disclosed: “if the malicious cyber actors are unable to obtain a non-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.”
This attack technique could be thwarted too if there were stricter permissions on user accounts and devices.
“Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress,” notes Weinert.
“The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.”
The Microsoft veteran finally offers a reminder why least privileged access is critical to minimizing an attackers opportunities for moving laterally once inside a network. This should help to compartmentalize attacks by restricting access to an environment from a user, device, or network that’s been compromised.
With Solorigate — the name Microsoft uses for the SolarWinds malware — the attackers “took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all,” Weinert notes.
Weinert admits the SolarWinds hack was a “truly significant and advanced attack” but the techniques they used can be significantly reduced in risk or mitigated with these best practices.