Microsoft analysts continue to study the supply chain attack that SolarWinds and its customers have been hit this year. Let me remind you that unknown attackers attacked SolarWinds and infected its Orion platform with malware. Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration. All that is known about this large-scale compromise, which many call the hack of the year, we have collected in one material .
A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.
“With such a massive initial foothold, attackers could choose specific organizations in which they want to continue working (while others remained a fallback, available at any time, as long as the backdoor was installed and not detected),” the researchers write.
Microsoft experts point out that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from accounts of interest to them.
Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:
- using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
- Using a backdoor to steal credentials, escalate privileges, and side-move to create valid SAML tokens in one of two ways: steal a SAML signing certificate, add or modify existing federation trusts.
- Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.