The Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.
“With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected),” Microsoft explains.
“Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources.”
Once deployed the backdoor, threat actors used it to steal credentials, escalate privileges, and make lateral movement within the target network to gain the ability to create valid SAML tokens. Microsoft experts reported that attackers created valid SAML tokens by stealing the SAML signing certificate or by adding or modifying existing federation trust.
Then the attackers created SAML tokens to access cloud resources and exfiltrate emails and sensitive data.
“This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.” continues the post.
Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, SolarWinds)
[adrotate banner=”5″]
[adrotate banner=”13″]
Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…
The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…
Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…
Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…
A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…
The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…
This website uses cookies.