FireEye has released a report and PowerShell tool for auditing networks for evidence of attacker techniques that have been observed through investigations after Solarwinds hacks. While the report is over 35 pages long, a summary of the attackers’ techniques can be found below:
- Steal ADFS (Active Directory Federation Services) token-signing certificate and use it to forge tokens for arbitrary users.
- Modify or add trusted domains in Azure to add a new Identity Provider that the attacker controls, allowing for the forging of arbitrary users.
- Compromise important accounts like Global Administrator or Application Administrator.
- Hijack an existing Microsoft 365 application by adding a rogue credential to it to read email, send an email, access user calendars, and steal other data, all while bypassing MFA.
Analyst Notes
Because malicious AD activity is almost impossible to identify without logs, Binary Defense recommends routing Azure AD audit logs and sign-in logs to an Azure storage account, event hub, Azure Monitor logs, or a custom solution. Review the log sources that were needed to support the FireEye investigation and verify that those log sources are being collected and retained for a sufficient length of time. The SolarWinds attack timeline suggests that some attacks may not be recognized for six months or longer, and that important logs should be retained for at least that long, if possible. Next, Binary Defense recommends employing both a 24/7 SOC monitoring solution, along with a threat hunting capability to identify current threats and create custom detections for new threats.
The ZDNet article can be found here: https://www.zdnet.com/article/fireeye-releases-tool-for-auditing-networks-for-techniques-used-by-solarwinds-hackers/
The full text of the FireEye report can be found here: https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html .
