Security researchers have found links between the attackers and Turla, a sophisticated team suspected of operating out of Moscow’s FSB intelligence agency.
SolarWinds Campaign Focuses Attention on Golden SAML Attack Vector
Adversaries that successfully execute attack can achieve persistent anytime, anywhere access to a victim network, security researchers say.
The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed Golden SAML, which cybersecurity vendor CyberArk first warned about in 2017.
The attack gives threat actors a way to maintain persistent access to all of an enterprise s ADFS federated services. This includes hosted email services, file storage services such as SharePoint, and hosted business intelligence apps, time-card systems, and travel systems, according to a blog post from Israel-based Sygnia. The attention that the SolarWinds campaign has drawn to the attack technique significantly raises the likelihood of adversaries leveraging it in future attacks, Sygni
NSA, CISA Warn of Attacks on Federated Authentication
While incident responders focus on attacks using SolarWinds Orion, government cyber defenders highlight other methods likely being used as well.
An attacker-modified update to the SolarWinds Orion network management product that compromised thousands of companies and government agencies is likely not the only way Russian attackers infiltrated networks, according to the US Cybersecurity and Infrastructure Security Agency (CISA) in an update over the weekend.
In an updated alert about the recent cyber-espionage attacks against government agencies and private-sector companies, CISA noted on Dec. 18 that the attackers appear to have used other vectors of attacks outside of the SolarWinds Orion platform. On Dec. 21, the agency pointed to an advisory published the previous week by the National Security Agency, which warned that attackers were stealing private keys for single sign-on (SSO) infrastructure to bypass two-factor authenti
email SolarWinds Isn t the Only Way Hackers Entered Networks, CISA Says
The agency warned that ejecting attackers from networks will be tough, especially because they can likely read the email of IT and cybersecurity employees.
The fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency.
The Cybersecurity and Infrastructure Security Agency, or CISA, released an alert Thursday through the U.S. Computer Emergency Readiness Team, or US-CERT, detailing what the agency currently knows about the attack. The alert calls out at least one other attack vector beyond SolarWinds products and identifies IT and security personnel as prime targets of the hacking campaign.
Federal Agencies, Think Tank Targeted in Russian Hacking Spree
Hackers used a vulnerability in SolarWinds software in breaches on U.S. government agencies, including the Department of Homeland Security, Treasury and Commerce, the State Department and the National Institutes of Health. by Jamie Tarabay, Bloomberg News / December 16, 2020 A poster showing six wanted Russian military intelligence officers is displayed as FBI Deputy Director David Bowdich appears for a news conference at the Department of Justice on Oct. 19, 2020 in Washington, D.C. (Andrew Harnik/Pool/Getty Images/TNS) TNS
(TNS) The suspected Russian hackers behind a global campaign of cyberattacks that have breached U.S. government agencies also hit an American think tank, according to a cybersecurity firm that has been fighting them off.