Update to SolarWinds Threat: Identity is the New Perimeter

Update to SolarWinds Threat: Identity is the New Perimeter Update to our December 15th blog: Secureworks' Response to Recent Nation-State Cyberattacks.Tuesday, January 5, 2021By: Barry Hensley - Secureworks Chief Threat Intelligence Officer

Secureworks Counter Threat Unit™ researchers continue to investigate and help customers respond to the sophisticated SolarWinds supply chain compromise last month. Our observations to date support third-party reporting that while many organizations received the trojanized software, only a fraction of those would see any follow-on activity that would indicate that they were targeted.

The repercussions of what has been discovered over the past 30 days are likely to be felt for months to come, and as we begin to take stock of what we have learned so far through the work we are doing with customers, two issues stand out:

Patching Matters

Investigations into the SolarWinds supply chain compromise led to the discovery of a second, unrelated threat actor exploiting a previously unknown (zero-day) vulnerability in internet-connected servers running SolarWinds Orion software to deploy a web shell (known as SUPERNOVA), steal credentials, and attempt to move laterally within compromised networks.

While a zero-day might have been leveraged to deploy the SUPERNOVA web shell, it is rare that we see adversaries leverage these vulnerabilities. There are a vast number of opportunistic threats like ransomware that continue to exploit well-known and patchable vulnerabilities. We must not lose focus on the critical importance of a comprehensive vulnerability management program including prioritized patching.

Identity is The New Perimeter

The compromise of SolarWinds Orion software to deliver malware was just one of what may turn out to be multiple attack paths. Having gained access, a sophisticated threat actor can stealthily subvert authentication mechanisms to reach sensitive resources hosted on cloud services such as email, chat messages and files. They can do this by:

• Using on-premise intrusions to obtain privileges in cloud tenants. This might involve stealing SAML token-signing certificates and using them to forge trusted authentication tokens to access cloud resources.
• Accessing and modifying permissions for cloud applications, to give those applications (and therefore the attacker) access to additional resources.
• Using new forged credentials to bypass multi-factor authentication and 'Backdoor' cloud applications maintaining persistent long-term access.

We see attacks that rely on stolen identities all the time. But these campaigns highlight the growing importance of identity management and protection, how adversaries will target this attack surface and how endpoint detection alone cannot be successful against these types of complex threats. If an adversary can compromise the private keys used to issue authentication tokens, or add accounts with privileged access, then controls predicated on that trust model are voided. As single sign-on becomes the norm with organizations reconfiguring for remote employees, and more data moves to the cloud, compromising the right identity within an organization potentially gives a threat actor unfettered access to critical business data.

How Secureworks Is Protecting You

We are proactively running threat hunts for customers where we have visibility to data to do so. We are using specific telemetry from various cloud/identity providers to detect fraudulent identity activity because traditional endpoint detections on their own may be insufficient to identify adversaries leveraging compromised identities. We are also constantly updating our threat hunting playbooks based on our investigation of these campaigns to ensure that something we learn in one customer environment can be leveraged at scale to benefit all customers.

In this spirit, we have also opened up access to our Global Threat Intelligence for all customers to give you context and actionable insights you need about this evolving threat.

How You Can Protect Your Organization

Patching is critically important but 'patch everything' is often not practical. Organizations need to prioritize the order in which vulnerabilities are patched to minimize time and cost. Vulnerability prioritization identifies the most critical risks to your organization and which ones should be patched first. This prioritization is most effective if based on numerous distinct factors, including relevant threat intelligence and the automated analysis of the asset context.

Organizations should also review Microsoft's recommendations to protect their cloud infrastructure from on-premises attacks and retain log sources such as the Azure directory audit log that are essential to investigating identity-based intrusions. For organizations that don't retain these logs, the unified audit log in the Microsoft 365 compliance center is a useful alternative.

While zero-day vulnerabilities remain a key challenge for high profile targets, for most organizations dedication to the basics and a layered security strategy is key to limiting exposure and minimizing the impact of threats that are detected every day.

Secureworks remains committed to providing you with the support and context you need to understand your organization's risk and make informed decisions about how best to prioritize your security activities.