One of the most chilling aspects of Russia’s recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this wasn’t the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims’ networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.
The SolarWinds hackers used their access in many cases to infiltrate their victims’ Microsoft 365 email services and Microsoft Azure Cloud infrastructure—both treasure troves of potentially sensitive and valuable data. The challenge of preventing these types of intrusions into Microsoft 365 and Azure is that they don’t depend on specific vulnerabilities that can simply be patched. Instead hackers use an initial attack that positions them to manipulate Microsoft 365 and Azure in a way that appears legitimate. In this case, to great effect.
“Now there are other actors that will obviously adopt these techniques, because they go after what works,” says Matthew McWhirt, a director at Mandiant Fireeye, first identified the Russian campaign at the beginning of December.
In the recent barrage, hackers compromised a SolarWinds product, Orion, and distributed tainted updates that gave the attackers a foothold on the network of every SolarWinds customer who downloaded the malicious patch. From there, the attackers could use their newfound privileges on victim systems to take control of certificates and keys used to generate system authentication tokens, known as SAML tokens, for Microsoft 365 and Azure. Organizations manage this authentication infrastructure locally, rather than in the cloud, through a Microsoft component called Active Directory Federation Services.
Once an attacker has the network privileges to manipulate this authentication scheme, they can generate legitimate tokens to access any of the organization’s Microsoft 365 and Azure accounts, no passwords or multifactor authentication required. From there, the attackers can also create new accounts, and grant themselves the high privileges needed to roam freely without raising red flags.
“We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Microsoft said in a December blog post that linked these techniques to the SolarWinds hackers. “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”
The National Security Agency also detailed the techniques in a December report.
“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML tokens could be forged, granting access to numerous resources.”
Microsoft has since expanded its monitoring tools in Azure Sentinel. And Mandiant is also releasing a tool that makes it easier for groups to assess whether someone has been monkeying with their authentication token generation for Azure and Microsoft 365, like surfacing information on new certificates and accounts.
Now that the techniques have been exposed very publicly, more organizations may be on the lookout for such malicious activity. But SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as some researchers have warned for years. In 2017, Shaked Reiner, a researcher at the corporate defense firm CyberArk, published findings about the technique, dubbed GoldenSAML. He even built a proof of concept tool that security practitioners could use to test whether their clients were susceptible to potential SAML token manipulation.
Reiner suspects that attackers haven’t used GoldenSAML techniques more often in the past few years simply because it requires such a high level of access to pull off. Still, he says he has always viewed increased deployment as inevitable, given the technique’s efficacy. It also builds on another well known Microsoft Active Directory attack from 2014 called Golden Ticket.