SolarWinds Azure Office Targeted by Malware Bytes
Earlier this month, the SolarWinds Azure Office was the target of a massive cyberattack by malware bytes. The attack was facilitated through the use of Microsoft IAM products, and the intruders waited patiently for the company to make a mistake. Fortunately, the intruders did not breach the company’s internal network. They instead compromised its build infrastructure of Malwarebytes Solarwinds Azure Officecimpanuzdnet.
Also Read: moffettnathanson tv q4spanglervariety
Commonality of the attack
Among the many intrusions that we’ve seen in recent years is the SolarWinds software supply-chain attack. The attack prompted a series of breaches at US government agencies, and other businesses were also affected. It also served as a reminder of the US’s cyber insecurity. In fact, some researchers say the Russian government is behind the operation.
The Sunburst cyber-espionage campaign involved the compromise of a large number of potential targets, including many of the nation’s largest technology companies. In addition to the supply-chain attack, the campaign also involved abuse of Microsoft identity and access management (IAM) products. The adversary moved silently from on-premises networks to Office 365 environments. In total, the campaign infected more than 100 organizations.
The campaign had many characteristics of previous cyber incursions. It leveraged multiple points of entry, including a compromised email account and a faulty certificate. It also took advantage of the company’s requirement to install a security tool known as WIZVERA VeraPort. The tool is required by South Korean banking websites and is widely used by government and enterprise organizations.
The campaign also included a backdoor called Smanager. This backdoor allows the attacker to download malicious packages. It also communicates with a command-and-control server. The backdoor is similar to the backdoor used by the Tmanger group.
The campaign also included a 0-day remote code execution exploit for Serv-U FTP software. This exploit was patched by SolarWinds. It also targeted an administrative software package called EvLog. This tool was developed by Canadian software company Altair Technologies.
The Sunburst campaign was a supply-chain attack, but it’s not the first to do this. Thirty-six software supply-chain attacks have occurred since 2010. These intrusions have affected 70 percent of the victims.
Microsoft IAM products were central to the Sunburst campaign
Using an intelligence-gathering campaign, an adversary group successfully compromised SolarWinds, an enterprise network management company. Using Microsoft IAM products, the intruders moved silently throughout the victim’s networks.
The Sunburst cyber-espionage campaign illustrates the persistent intelligence contest that exists in cyberspace. Cyberspace is a vital part of national security, and must be used to advance our objectives. But it is also a target, and cybercriminals are constantly developing techniques to break in.
Microsoft IAM products allowed the intruders to gain access to Office 365 environments in the cloud. This compromise provided an advantage that made it harder for organizations to revoke access to malicious actors.
The Sunburst campaign raised important questions about cloud computing security. The United States has not developed a comprehensive strategy to defend its cloud computing infrastructure. Instead, the government labors under an outdated software security model. The model does not match the processes used to develop software. This allows attackers to quickly and easily infiltrate target networks.
The Sunburst campaign highlights the importance of the policymaking community working with industry to improve defensibility of the technology ecosystem. But it also shows that the United States is giving up its leverage to an adversary largely due to its lack of strategy. Defending the United States in the intelligence competition requires a comprehensive and meaningful policy response.
In the Sunburst case, the adversary gained access to Office 365 environments by exploiting Microsoft IAM products. This compromise is a reminder of how critical identity management is to protecting an organization. Defending against cybercriminals requires organizations to be able to identify and monitor their users across their enterprise. IAM can help simplify the login process and keep track of who is gaining access to their network.
Intruders compromised SolarWinds’ build infrastructure
Almost nine months after hackers broke into SolarWinds, the company has confirmed that they have compromised its software update infrastructure. They say the breach may have affected as many as 18,000 customers. But the full extent of the attack is still unclear, and SolarWinds is not yet sure whether the breach has affected other vendors as well.
SolarWinds’ software is widely used by companies in the enterprise and public-sector industries. The company’s Orion IT network management platform is one of its most popular products. It is used by a wide variety of Fortune 500 companies and government agencies.
SolarWinds’ software update was compromised by hackers in March 2020. The company has acknowledged that the malicious code was inserted into updates for the Orion platform. It also said that the company’s internal build infrastructure was compromised.
The attack used a backdoor to access networks. The backdoor’s code temporarily halted system services, and the malware sent a beacon to a server that would then relay the information about infected networks to the attackers.
The backdoor also enabled the attackers to monitor and control networks and user permissions. They then used the information to select targets.
The attack affected many organizations, including the Department of Treasury, the National Nuclear Safety Agency, and the Department of Commerce. It also affected companies that manufacture critical infrastructure such as Microsoft and Cisco.
The hack affected thousands of organizations worldwide, and has implications for a number of industries. The extent of the damage is still unclear, but the scope of the attack is enough to worry many.
In light of this, many experts are speculating whether the attack was a result of a Russian intelligence operation. The White House has said it was, but Russia has denied any involvement.
Intruders compromised Malwarebytes’ internal network was not breached
Earlier this month, the cybersecurity firm Malwarebytes reported that it had been the target of a hacking attack. The firm confirmed that the attack was spearheaded by the same nation-state threat actor that previously targeted SolarWinds. The attack used applications with privileged access to the Azure cloud-based Microsoft service.
The attackers were able to bypass Malwarebytes’ security software to gain access to internal emails. The firm has not disclosed any further details. However, they do indicate that the attack was limited to internal emails. The hacking involved abuse of privileged access to Microsoft Office 365.
According to Malwarebytes, attackers accessed the firm’s Azure cloud-based Microsoft service through a malicious third-party application. The firm concluded that the same threat actor had compromised Microsoft cloud email accounts.
The company has since performed a thorough investigation of its infrastructure and source code. It has concluded that the attack was not related to a supply chain incident involving SolarWinds. However, Malwarebytes has said that the attack was a part of a broader Russian hacking campaign. The company is not certain if the attack was carried out through the same vector as the SolarWinds attack.
The cyber security firm has been a victim of the same group that compromised SolarWinds, which is known as UNC2452. This threat actor is believed to be tied to a Russian government cyber espionage operation.
According to Malwarebytes, the attack did not impact any personal files or software. The company said that it was confident that the hackers only gained access to a few internal emails. However, they did note that the attack occurred over a 17-hour period.
Malwarebytes said it was able to detect the incident after Microsoft notified the company of suspicious activity. The company’s CEO also revealed the attack through a Twitter account.
Intruders waited patiently to avoid detection
Using Microsoft IAM products, the adversary gained a foothold in the Office 365 cloud environment. This allowed the nefarious actor to move silently throughout the victim networks. Aside from the obvious password resets, the adversary also leveraged IAM to gain access to Microsoft’s most popular productivity tools. This included Microsoft Active Directory Federated Services certificate signing capability.
The Sunburst campaign was a large-scale software supply-chain attack that leveraged Microsoft’s IAM products to move silently throughout the victim network. The espionage minded attacker used these products to gain access to Office 365 environments. This campaign was also aided by the Microsoft Graph API.
A number of security researchers have also shown that malicious actors may have moved lateral into the Azure cloud environment. A good example of this is the recent compromise of 18,000 customers of security firm SolarWinds.
This attack demonstrates that valid organisation account credentials are the most common method of obtaining an unauthorised entry into an organisation’s network. The average time for an intruder to gain access to a system and learn how to use it is 100 days. This is not a short-term fix, however, as the perpetrators may be escalating their privileges after the account has been stolen.
Although the Sunburst campaign is over, the adversary’s use of IAM products continues. This may have allowed the nefarious actor to leverage the most important security technologies in the Microsoft stack to achieve their goals.
The aforementioned Sparrow tool, the Microsoft Graph API, and the Microsoft Office 365 Management API are just a few of the tools available to detect and mitigate the latest threats. This CISA Alert does not endorse any products mentioned, but offers guidance on a number of open source solutions that should prove useful to security professionals.