One of the most chilling aspects of Russia’s recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this wasn’t the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims’ networks with simple and elegant strategies. Researchers are bracing for a surge in popularity among copycat employed simple and elegant strategies to bore deeper into their chosen targets once they had initial access through SolarWinds. Now researchers are bracing for a surge in those techniques from other attackers.

The SolarWinds hackers used their access in many cases to infiltrate their victims’ Microsoft 365 email services and Microsoft Azure Cloud infrastructure—both treasure troves of potentially sensitive and valuable data. The challenge of preventing these types of intrusions into Microsoft 365 and Azure is that they don’t depend on specific vulnerabilities that can simply be patched. Instead hackers use an initial attack that positions them to manipulate Microsoft 365 and Azure in a way that appears legitimate. In this case, to great effect.

“Now there are other actors that will obviously adopt these techniques, because they go after what works,” says Matthew McWhirt, a director at Mandiant Fireeye, first identified the Russian campaign at the beginning of December.

In the recent barrage, hackers compromised a SolarWinds product, Orion, and distributed tainted updates that gave the attackers a foothold on the network of every SolarWinds customer who downloaded the malicious patch. From there, the attackers could use their newfound privileges on victim systems to take control of certificates and keys used to generate system authentication tokens, known as SAML tokens, for Microsoft 365 and Azure. Organizations manage this authentication infrastructure locally, rather than in the cloud, through a Microsoft component called Active Directory Federation Services.

Once an attacker has the network privileges to manipulate this authentication scheme, they can generate legitimate tokens to access any of the organization’s Microsoft 365 and Azure accounts, no passwords or multifactor authentication required. From there, the attackers can also create new accounts, and grant themselves the high privileges needed to roam freely without raising red flags.

“We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Microsoft said in a December blog post that linked these techniques to the SolarWinds hackers. “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”

The National Security Agency also detailed the techniques in a December report.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML tokens could be forged, granting access to numerous resources.”

Microsoft has since expanded its monitoring tools in Azure Sentinel. And Mandiant is also releasing a tool that makes it easier for groups to assess whether someone has been monkeying with their authentication token generation for Azure and Microsoft 365, like surfacing information on new certificates and accounts.

Now that the techniques have been exposed very publicly, more organizations may be on the lookout for such malicious activity. But SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as some researchers have warned for years. In 2017, Shaked Reiner, a researcher at the corporate defense firm CyberArk, published findings about the technique, dubbed GoldenSAML. He even built a proof of concept tool that security practitioners could use to test whether their clients were susceptible to potential SAML token manipulation.

You May Also Like

14 Best Soundbars for Every Budget (2023): Vizio, Sonos, Samsung, Yamaha, Sony

You probably already shelled out good money for a nice big TV…

Does the House Antitrust Report Mean That Tech Is Evil?

Oh, to say, “I’ve never felt better!” and mean it. Maybe in…

Asteroid the size of the Eiffel Tower is set to race by Earth next month

An asteroid the size of the Eiffel Tower will race past the…

The Hottest App Right Now? One Where Teens Have to Say Nice Things About Each Other

TBH was hot. Five years ago, the app, which prompted teens to…