The SolarWinds hackers are back -- now they're targeting resellers, cloud providers, and MSPs
Is Active Directory the problem here?
They're back: The hackers behind the devastating SolarWinds supply chain attacks -- which led to the compromise of nine federal US agencies and over 100 large enterprises globally -- have returned with a bang and are actively targeting "the networks of technology solutions, services, and reseller companies in North America and Europe", with 14 already breached, according to new reports from Mandiant and Microsoft.
Targets have included multiple cloud service providers (CSP) including Azure and managed service providers (MSP), an October 25 blog by the Microsoft Threat Intelligence Center (MSTIC) said, noting the hackers have been "observed chaining together artifacts and access across four distinct providers to reach their end target."
The attacks start with "use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing." MSTIC noted.
Microsoft is urging customers to prioritise "a thorough review and audit of partner relationships to minimize any unnecessary permissions between your organization and upstream providers". This should include the hardening and monitoring of all tenant administrator accounts, including those associated with Administer On Behalf Of (AOBO) in Azure subscriptions, and the review of devices registered for use with MFA, it added.
SolarWinds attackers turn to MSPs, resellers
The threat actor APT29, known as "Nobelium" by Microsoft has been identified by US authorities as being part of Russia’s foreign intelligence service, the SVR. Microsoft services have themselves been extensively targeted by it both in the past -- with the group successfully stealing proprietary Microsoft source code including details about how Azure authenticates customers in the wake of the attacks on SolarWinds.
As the Microsoft graphic above shows, Azure AD has also been targeted as part of the current campaign. (Microsoft said between July 1 and October 19 this year 609 customers have been attacked 22,868 times by Nobelium, "with a success rate in the low single digits".)
Microsoft's corporate VP for security Tom Burt said: "We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers... Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium. We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers..."
Follow The Stack on LinkedIn
As Mandiant SVP and CTO, Charles Carmakal added in an emailed comment: "Most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe... This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor. This is particularly effective for the threat actor for two reasons: First, it shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses and second, investigating these intrusions requires collaboration and information sharing across multiple victim organizations, which is challenging due to privacy concerns and organizational sensitivities. We’ve observed this attack path used to obtain access to on-premises and cloud victim environments. Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organizations and other organizations that deal in matters of interest to Russia. The intrusion activity is ongoing and Mandiant is actively working with organizations that are impacted.”
Is Active Directory an ongoing problem?
Critics have in the past warned that Active Directory environments are a particular issue here.
As Crowdstrike CEO and founder George Kurtz told the Senate Select Committee on Intelligence in February 2021, Nobelium has been "taking advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network, as well as between the network and the cloud, by creating false credentials, impersonating legitimate users, and bypassing multi-factor authentication."
His comments came after Crowdstrike identified attacks on "a third party IT reseller that managed Microsoft licenses for a number of companies, including CrowdStrike", with Kurtz noting at the time that the most sophisticated part of the campaign was "how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Service credentialing and authentication process.
The Golden SAML attack leveraged by [the hackers] allowed them to jump from customers’ on-premise environments and into their cloud and cloud-applications, effectively bypassing multi-factor authentication... Unfortunately, based on flaws in the authentication architecture itself, this campaign is only the latest and surely not the last of a long string of major breaches in which hackers can impersonate most anybody on a network, gain the permissions needed to perform any actions on the network, bypass multi-factor authentication entirely and, every bit as devastating as it sounds, have the ability to sign in as a compromised user no matter
how many times that user resets their password. The only silver lining to the Golden Ticket/Golden SAML problem is that, should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms."
*Security vendor LogRhythm has a useful whitepaper on Golden SAML attacks here.
In other supply chain secuirity news, on October 22, the NPM repository account associated with a popular node.js (UAParser.js—a library used by web applications to detect information about user’s browser types and operating systems) was briefly hijacked and used to distribute a malicious script. As Sophos notes, on Linux machines, the script installed a Monero miner; on Windows systems, it also dropped malware that attempted to harvest user credential information.