fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft: SolarWinds Hackers’ Goal Was The Victims’ Cloud Data

Microsoft: SolarWinds Hackers’ Goal Was The Victims’ Cloud Data

Microsoft says that the end goal of the SolarWinds supply chain compromise was to pivot to the victims’ cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks.

No new tactics, techniques, and procedures (TTPs) were shared in a blog post published on Monday to provide Microsoft 365 Defender users with threat hunting techniques for investigating Sunburst attacks.

However, Microsoft also shared another important bit of information: the end goal of the SolarWinds hackers’ attacks, something that was only hinted at previously.

Targets set on cloud resources

As the Microsoft 365 Defender Team explains, after infiltrating a target’s network with the help of the Sunburst backdoor, the attackers’ goal is to gain access to the victims’ cloud assets.

“With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected),” Microsoft explains.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

“Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources [..].”

Microsoft’s previous articles on the SolarWinds supply chain attack and National Security Agency (NSA) guidance also hinted at the fact that the attackers’ ultimate goal was to generate SAML (Security Assertion Markup Language) tokens to forge authentication tokens allowing access to cloud resources.

Solorigate attack chain overview
Source: Microsoft

The threat actors behind the SolarWinds hack first had to compromise the SolarWinds Orion Platform build system and abuse it to deliver a backdoor injected as a legitimate DLL via the software update system.

Once the DLL is loaded after the application is started, the backdoor would reach out to its command-and-control server and allow the threat actors to infiltrate the network.

Next, they elevate privileges and move laterally through the victim’s network with the end goal of gaining admin privileges or stealing the (private) SAML signing key.

Once this happens, they forge trusted SAML tokens which allow them to access cloud assets and exfiltrate emails from accounts of interest.

Attack chain and unauthorized cloud access mitigation

Microsoft also detailed the step by step procedure used by the attackers to gain access to their victims’ cloud assets:

  1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
  2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
    1. Stealing the SAML signing certificate (Path 1)
    2. Adding to or modifying existing federation trust (Path 2)
  3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

In its guidance highlighting SolarWinds hackers’ TTPs for pivoting to cloud resources, the NSA also shared mitigation measures against unauthorized cloud access which require making it difficult for threat actors to gain access to on-premise identity and federation services.

The NSA recommends enforcing multi-factor authentication, removing unnecessary apps with credentials, disabling legacy authentication, and using a FIPS-validate Hardware Security Module (HSM) to secure the private keys.

Search local and cloud logs for signs of suspicious tokens, as well as detecting indicators of compromise (IOCs) and auth mechanism abuse attempts can also be used by the tenant and the cloud service provider to spot attacks.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Last week, the FBI also shared a TLP:WHITE private industry notification [PDF] with info on how system administrators and security professionals can determine if APT actors have exploited SolarWinds vulnerabilities on their systems.

DHS-CISA and cybersecurity firm Crowdstrike have also released free malicious activity detection tools to search for SAML token usage anomalies in audit logs and enumerate Azure tenant assigned privileges.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us