The Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.
“With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected),” Microsoft explains.
“Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources.”
Once deployed the backdoor, threat actors used it to steal credentials, escalate privileges, and make lateral movement within the target network to gain the ability to create valid SAML tokens. Microsoft experts reported that attackers created valid SAML tokens by stealing the SAML signing certificate or by adding or modifying existing federation trust.
Then the attackers created SAML tokens to access cloud resources and exfiltrate emails and sensitive data.
“This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.” continues the post.
Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, SolarWinds)
[adrotate banner=”5″]
[adrotate banner=”13″]
The DoJ charged Anonymous Sudan members and disrupted their DDoS infrastructure, halting its cyber operations.…
Russia-linked threat actor RomCom targeted Ukrainian government agencies and Polish entities in cyber attacks since…
A critical flaw in Kubernetes Image Builder could allow attackers to gain root access if…
VMware fixes a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute…
Brazil's Polícia Federal has arrested hacker USDoD, the hacker behind the National Public Data and…
Finnish Customs shut down the Tor darknet marketplace Sipulitie and seized the servers hosting the…
This website uses cookies.