Otto
Advanced
- Joined
- 22.09.20
- Messages
- 107
- Reaction score
- 380
- Points
- 63
Hackers used applications with privileged access to Microsoft Office 365 and Azure environments.
Security researchers from the information security firm Malwarebytes have confirmed that the cybercriminals responsible for the attack on the SolarWinds supply chain were able to access the company's email.
"Despite the fact that Malwarebytes does not use SolarWinds software, we, like many other companies, were recently attacked by the same attacker. We can confirm the existence of another attack vector involving the abuse of applications with privileged access to Microsoft Office 365 and Azure environments, " said Marcin Kleczynski, CEO and co-founder of Malwarebytes.
According to experts, on December 15, they received a notification from the Microsoft Security Response Center about suspicious activity of a third-party application in the Microsoft Office 365 client, corresponding to the tactics, methods and procedures of the same criminals who participated in the attacks on SolarWinds. As the results of the investigation showed, the attackers took advantage of the vulnerability of Azure Active Directory, which allowed them to gain access to a limited set of internal e-mail of the company.
Given the nature of the attack on SolarWinds 'supply chains, and taking extra care, the team immediately conducted a thorough investigation of all Malwarebytes' source code, build and delivery processes, including reverse engineering their own software. The internal systems showed no evidence of unauthorized access or hacking in any local and production environments. The software is safe to use, the researchers assured.
Against the background of ongoing investigations, FireEye specialists have released a tool to audit networks for the techniques used by hackers during the hacking of SolarWinds networks. A free tool called Azure AD Investigator is designed to help companies determine whether SolarWinds hackers used any of these methods on their networks.
FireEye also released a report describing the stages of the attack:
Stealing an Active Directory Federation Services (AD FS) token signing certificate and using it to forge tokens for arbitrary users. This allows you to authenticate to a federated resource provider (such as Microsoft 365) under the guise of any user without having to enter a password or go through multi-factor authentication.
Change trusted domains in Azure AD to add a new federated Identity Provider (IdP) that is managed by an attacker.
Compromising the credentials of local user accounts that are synced with Microsoft 365 and have high privileges.
Hacking an existing Microsoft 365 app by adding fraudulent credentials to it to use legitimate permissions, such as the ability to read email, send email on behalf of an arbitrary user, access user calendars, and so on.
Security researchers from the information security firm Malwarebytes have confirmed that the cybercriminals responsible for the attack on the SolarWinds supply chain were able to access the company's email.
"Despite the fact that Malwarebytes does not use SolarWinds software, we, like many other companies, were recently attacked by the same attacker. We can confirm the existence of another attack vector involving the abuse of applications with privileged access to Microsoft Office 365 and Azure environments, " said Marcin Kleczynski, CEO and co-founder of Malwarebytes.
According to experts, on December 15, they received a notification from the Microsoft Security Response Center about suspicious activity of a third-party application in the Microsoft Office 365 client, corresponding to the tactics, methods and procedures of the same criminals who participated in the attacks on SolarWinds. As the results of the investigation showed, the attackers took advantage of the vulnerability of Azure Active Directory, which allowed them to gain access to a limited set of internal e-mail of the company.
Given the nature of the attack on SolarWinds 'supply chains, and taking extra care, the team immediately conducted a thorough investigation of all Malwarebytes' source code, build and delivery processes, including reverse engineering their own software. The internal systems showed no evidence of unauthorized access or hacking in any local and production environments. The software is safe to use, the researchers assured.
Against the background of ongoing investigations, FireEye specialists have released a tool to audit networks for the techniques used by hackers during the hacking of SolarWinds networks. A free tool called Azure AD Investigator is designed to help companies determine whether SolarWinds hackers used any of these methods on their networks.
FireEye also released a report describing the stages of the attack:
Stealing an Active Directory Federation Services (AD FS) token signing certificate and using it to forge tokens for arbitrary users. This allows you to authenticate to a federated resource provider (such as Microsoft 365) under the guise of any user without having to enter a password or go through multi-factor authentication.
Change trusted domains in Azure AD to add a new federated Identity Provider (IdP) that is managed by an attacker.
Compromising the credentials of local user accounts that are synced with Microsoft 365 and have high privileges.
Hacking an existing Microsoft 365 app by adding fraudulent credentials to it to use legitimate permissions, such as the ability to read email, send email on behalf of an arbitrary user, access user calendars, and so on.