Instructions for spotting and keeping suspected Russians out of systems Share
Copy
Any organizations that used the backdoored SolarWinds network-monitoring software should take another look at their logs for signs of intrusion in light of new guidance and tooling.
In an update and white paper [PDF] released on Tuesday, FireEye warned that the hackers – which intelligence services and computer security outfits have concluded were state-sponsored Russians – had specifically targeted two groups of people: those with access to high-level information, and sysadmins.
But the targeting of those accounts will be difficult to detect, FireEye warned, because of the way they did it: forging the digital certificates and tokens used for authentication to look around networks without drawing much or any attention.
SolarWinds Attack Underscores New Dimension in Cyber-Espionage Tactics
Meanwhile, Malwarebytes is the latest victim, Symantec discovers a fourth piece of malware used in the massive attack campaign, and FireEye Mandiant releases a free tool to help spot signs of the attack.
The complex cyberattack campaign against major US government agencies and corporations including Microsoft and FireEye has driven home the reality of how attackers are setting their sights on targets cloud-based services such as Microsoft 365 and Azure Active Directory to access user credentials and ultimately the organizations most valuable and timely information.
Today Malwarebytes revealed that it, too, was compromised by the same attackers who infected SolarWinds Orion network management software to reach many of the targets in the campaign but via a different attack vector that gained privileged access to 365 and Azure. After an extensive investigation, we determined the attacker only gained acce
Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender Microsoft 365 Defender Team
UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.
SolarWinds Campaign Focuses Attention on Golden SAML Attack Vector
Adversaries that successfully execute attack can achieve persistent anytime, anywhere access to a victim network, security researchers say.
The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed Golden SAML, which cybersecurity vendor CyberArk first warned about in 2017.
The attack gives threat actors a way to maintain persistent access to all of an enterprise s ADFS federated services. This includes hosted email services, file storage services such as SharePoint, and hosted business intelligence apps, time-card systems, and travel systems, according to a blog post from Israel-based Sygnia. The attention that the SolarWinds campaign has drawn to the attack technique significantly raises the likelihood of adversaries leveraging it in future attacks, Sygni
Note: we are updating as the investigation continues. Revision history listed at the bottom.
This post contains technical details about the methods of the actor we believe was involved in Recent Nation-State Cyber Attacks, with the goal to enable the broader security community to hunt for activity in their networks and contribute to a shared defense against this sophisticated threat actor.
Please see the Microsoft Product Protections and Resources section for additional investigative updates, guidance, and released protections.
As we wrote in that blog, while these elements aren’t present in every attack, this is a summary of techniques that are part of the toolkit of this actor.