Hacking

SolarWinds hackers aimed at access to victims’ cloud assets

Microsoft says that SolarWinds hackers aimed at compromising the victims’ cloud infrastructure after deploying the Solorigate backdoor (aka Sunburst).

The Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.

“With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected),” Microsoft explains.

“Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources.”

Once deployed the backdoor, threat actors used it to steal credentials, escalate privileges, and make lateral movement within the target network to gain the ability to create valid SAML tokens. Microsoft experts reported that attackers created valid SAML tokens by stealing the SAML signing certificate or by adding or modifying existing federation trust.

Then the attackers created SAML tokens to access cloud resources and exfiltrate emails and sensitive data.

SolarWindsSolarWinds

“This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.” continues the post.

Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output…

1 hour ago

A critical flaw in OpenPGP.js lets attackers spoof message signatures

A critical flaw in OpenPGP.js, tracked as CVE-2025-47934, lets attackers spoof message signatures; updates have…

3 hours ago

SK Telecom revealed that malware breach began in 2022

South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April…

6 hours ago

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

17 hours ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

23 hours ago

UK’s Legal Aid Agency discloses a data breach following April cyber attack

The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…

1 day ago