In December, the disclosure of the supply chain attack against SolarWinds sent shockwaves throughout federal agencies responsible for the security of US information assets. The ripple effect hit the IT community as well. Those ripples have continued into 2021, as what was already seen as a sophisticated attack on the IT supply chain has taken additional twists. New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD).
Compromising the SolarWinds build environment and sending Trojanized versions of updates for the Orion Platform is the best-known tactic believed to have been used by the threat group behind the attacks. According to the Cybersecurity and Infrastructure Security Agency (CISA), the threat actor was observed compromising or bypassing federated identity solutions and leveraging forged authentication tokens to move laterally to Microsoft cloud environments. From there, the threat