FireEye released a new security tool to defend against the nation-state threat group behind the SolarWinds attacks.
As the aftermath of the SolarWinds supply chain attack unfolds, new security concerns continue to arise, including intrusions into Microsoft 365 environments. In a blog post Tuesday, members of FireEye's Mandiant team -- principal consultant Mike Burns, senior manager Matthew McWhirt, incident response manager Douglas Bienstock and managing director Nick Bennett -- unveiled an auditing script called Azure AD Investigator that's designed to detect such intrusions.
According to the blog post and accompanying white paper, organizations can use the free tool to "check their Microsoft 365 tenants for indicators of some of the techniques used by UNC2452." UNC2452 is the term of the global SolarWinds attack. The script, released through FireEyes' GitHub repository, will help to differentiate between malicious and legitimate activity.
"Many of the attacker techniques detailed in the white paper are dual-use in nature -- they can be used by threat actors but also by legitimate tools. Therefore a detailed review for specific configuration parameters may be warranted, including correlating and verifying that configurations are aligned with authorized and expected activities," the blog post said.
Azure Active Directory (AD) is a cloud service that allows administrators to manage user identities and access permissions. Azure AD also allows admins to choose which types of data can be moved to the cloud, who can manage or use the data and which services or applications can access it.
In addition to the auditing tool, the blog post also detailed new tactics, techniques and procedures (TTP) used by the attackers. FireEye said it has recently observed UNC2452, as well as other threat actors, gain access to Microsoft 365 environments. According to the blog, those actors move laterally to the Microsoft 365 cloud using a combination of four primary techniques.
The first technique involves stealing the Active Directory Federation Services (AD FS) certificate, which would "allow an attacker to authenticate into a federated resource provider such as Microsoft 365 as any user, without the need for that user's password." The second technique modifies or adds trusted domains in Azure AD, which enables threat actors to forge tokens for arbitrary users or an "Azure AD backdoor."
The third technique compromises the credentials of on-premises user accounts and takes advantage of high privileged directory roles. The fourth tactic creates a backdoor to an existing Microsoft 365 application by adding a new application or service principal credential, which would grant legitimate permissions to the application, such as the ability to read and send emails to unauthorized users, or access user calendars.
SearchSecurity contacted FireEye for additional information regarding the new TTPs, but the company had not responded.
UPDATE 1/21: SearchSecurity received the following statements from FireEye: "UNC2452 has obtained access to victim environments in other ways beyond Sunburst, e.g. password spraying and leveraging other third-party relationships," said Charles Carmakal, senior vice president and CTO at Mandiant. Matthew McWhirt, director at Mandiant, said FireEye has not observed the SolarWinds backdoor and Azure AD backdoor together in the same intrusion.
On Tuesday, antimalware vendor Malwarebytes disclosed that the SolarWinds attackers had breached its Microsoft 365 environments and gained access to "a limited subset of internal company emails." Malwarebytes said the intrusion represented a new attack vector for the nation-state threat group since Malwarebytes is not a SolarWinds customer and had no installations of the malicious Orion software updates.
The new tool is another step in FireEye's continued investigation and response into the SolarWinds supply chain attack.
FireEye was the first to disclose the hack in December when an internal investigation revealed an attack it had suffered was part of a larger cyberespionage campaign. The cybersecurity vendor partnered with GoDaddy and Microsoft to deploy a kill switch for the malware, which FireEye dubbed "Sunburst." It helped to mitigate some of the potential impact of the wide-scope attack. However, further investigations have revealed additional victims and attack vectors.