It wasn’t just the SolarWinds supply-chain hack. There were other ways that the “Russian APT29” hackers broke into countless government agencies and private organizations.
So says CISA—the U.S. Cybersecurity and Infrastructure Security Agency. The agency has also updated its indicators of compromise and tips on how to remediate the threats.
This is a story that’s not going away anytime soon. In today’s SB Blogwatch, we keep an eye on the latest.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Spoilers, sweetie.
CISA Is Watching
What’s the craic? Catalin Cimpanu reports—“CISA: SolarWinds hackers also used password guessing … and password spraying to breach targets, not just trojanized updates:”
Once threat actors gained access to internal networks or cloud infrastructure, CISA said the hackers, believed to be Russian in origin, escalated access to gain administrator rights and then moved to forge authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources inside a company’s network, without needing to provide valid credentials or solve multifactor authentication challenges.
To help victims deal with these “to-cloud” escalations, CISA has also published a second advisory today with guidance on how to search Microsoft-based cloud setups for traces of this group’s activity and then remediate. … CISA said the guidance is “irrespective of the initial access vector” that the SolarWinds hackers leveraged to gain control.
Need more? Just in case, Justin Katz adds—“Hackers breaking into networks without SolarWinds, CISA says:”
As more about the SolarWinds Orion breach has surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government’s networks. … CISA’s new guidance appears to confirm that suspicion, stating [that] Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.
It never rains, but it pours. CISA’s shadowy analysts revised their alert—“Advanced Persistent Threat Compromise:”
One of the initial access vectors for this activity is a supply chain compromise of a … DLL in … SolarWinds Orion products. [But] there are initial access vectors other than the SolarWinds Orion platform and … legitimate account abuse [is] one of these vectors.
We are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. … CISA incident response investigations have identified that initial access in some cases was obtained by password guessing … password spraying … and inappropriately secured administrative credentials … accessible via external remote access services.
The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. … Microsoft reported that the actor has added new federation trusts to existing on-premises infrastructure. … One method the adversary [uses is] compromising the SAML signing certificate using their escalated Active Directory privileges.
CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal and territorial governments, as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the … list of indicators of compromise (IOC) [in] the STIX file.