FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers

Security firm FireEye has published new Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers.

In mid December 2020, FireEye discovered a “global intrusion campaign” supply chain attack against SolarWinds. The bad actors (known as UNC2452) trojanized SolarWinds Orion business software updates and then distributed malware FireEye called “Sunburst.”

The actors behind the campaign initially gained access to SolarWinds customers’ on-premises networks. In some cases, the same attackers later pivoted to gain unauthorized access to victims’ Microsoft 365 environments.

To help combat these threats, FireEye published new paper Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. The paper can be leveraged to help remediate environments where attacker techniques have been used.

Azure AD Investigator

First, FireEye published a new tool Azure AD Investigator on GitHub repository. Organizations can use this tool to check their Microsoft 365 tenants for indicators of some of the techniques used by UNC2452.

“The script will alert administrators and security practitioners to artifacts that may require further review to determine if they are truly malicious or part of legitimate activity. Many of the attacker techniques detailed in the white paper are dual-use in nature—they can be used by threat actors but also by legitimate tools,” FireEye wrote in the blog post.

Attacker techniques

Secondly, FireEye also provided a nice summary of four primary techniques that attackers are using to move laterally to victims’ Microsoft 365 cloud instances. For example, an attacker could:

1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow attackers to bypass authentication and MFA mechanisms as any user and without need for password.
2. Modify or add trusted domains in Azure AD in order to add a new federated Identity Provider (IdP) that they control. This could then allow an Azure AD backdoor.
3. Compromise the credentials of on-premise user accounts (that have high admin privileges) that are synchronized to Microsoft 365.
4. Create a backdoor to an existing Microsoft 365 application by adding a new app/service principal credential in order to use the legitimate permissions assigned to the application. Examples include the ability to read/send email and access user calendars.

Readers can also check out many of the previous articles related to the SolarWinds attacks below.

Related Articles

• DHS issues new emergency guidance on SolarWinds Orion Code compromise
• SolarWinds releases updated advisory on SUPERNOVA malware (updated with CVE-2020-10148)
• Cybersecurity experts reveal growing list of SolarWinds 2nd stage attack victims
• Solorigate malware behind the SolarWinds attack
• CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)
• Global active exploits against SolarWinds via Sunburst backdoor