![]() Modifying or adding trusted domains in Azure AD to add a new federated Identity Provider (controlled by the attackers).Stealing the Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users (aka a Golden SAML attack).Techniques used by the attackersįireEye is the firm that first uncovered the activities of the SolarWinds hackers and has visibility in many intrusions perpetrated by them, allowing them to detail several methodologies used by attackers (and other threat actors) to move laterally from targets’ on-premises networks to the Microsoft 365 cloud. Symantec has released indicators of compromise (IOCs) and YARA rules that can come in handy to defenders. “Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” the researchers shared. Unlike Teardrop, which was delivered by the initial Sunburst (Solorigate) backdoor, Raindrop was used for spreading across the victim’s network and there is no evidence to date of it being delivered directly by Sunburst. On Monday, Symantec shared the result of their analysis of Raindrop, a loader that, similarly to the Teardrop backdoor, delivers a customized Cobalt Strike Beacon. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he said. Then, on Tuesday, Malwarebytes CEO Marcin Kleczynski disclosed that the same attackers targeted and breached the company, but not through the compromised SolarWinds Orion platform (which they don’t use). A fourth malware strain wielded by the SolarWinds attackers has been detailed by Symantec researchers, followed by the disclosure of the attackers’ ingenous lateral movement techniques and the release of an auditing script by FireEye researchers that organizations can use to check their Microsoft 365 tenants for signs of intrusion.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |