Cyber warfare

SolarWinds hackers also used common hacker techniques, CISA revealed

CISA revealed that threat actors behind the SolarWinds hack also used password guessing and password spraying in its attacks.

Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

“Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[1]reads the CISA’s alert. “However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.”

CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by thet attackers.

The alert issued on January 6, highlights that it does not supersede the requirements of ED 21-01 or any supplemental guidance and does not represent formal guidance to federal agencies under ED 21-01.

CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.

Experts from CISA observed threat actors escalating privilege within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. Then the attackers used to forge authentication tokens (OAuth) to issue claims to service providers and then attempt to access the Microsoft Cloud environments.

At the end of December, the Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.

In a report published on December 28, Microsoft said the threat actor’s primary goal was to gain access to cloud-hosted infrastructure, which in many cases was the company’s own Azure and Microsoft 365 environments.

To help victims deal with these “to-cloud” escalations, CISA has also published a second advisory today with guidance on how to search Microsoft-based cloud setups for traces of this group’s activity and then remediate servers.

Once deployed the backdoor, threat actors used it to steal credentials, escalate privileges, and make lateral movement within the target network to gain the ability to create valid SAML tokens. Microsoft experts reported that attackers created valid SAML tokens by stealing the SAML signing certificate or by adding or modifying existing federation trust.

Then the attackers created SAML tokens to access cloud resources and exfiltrate emails and sensitive data.

“This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.” continues the post.

Recently, both US CISA and cybersecurity firm Crowdstrike released free detection tools to audit Azure and MS 365 environments.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SK Telecom revealed that malware breach began in 2022

South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April…

3 hours ago

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

14 hours ago

China-linked UnsolicitedBooker APT used new backdoor MarsSnake in recent attacks

China-linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia.…

20 hours ago

UK’s Legal Aid Agency discloses a data breach following April cyber attack

The UK’s Legal Aid Agency suffered a cyberattack in April and has now confirmed that…

23 hours ago

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Cybersecurity Observatory of the Unipegaso's malware lab published a detailed analysis of the Sarcoma ransomware.…

1 day ago

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

2 days ago