Microsoft Reveals Actual Target of SolarWinds Cyberattack

MakeUseOf

By Gavin Phillips

Published Dec 29, 2020

Getting inside the victim's network wasn't the only goal of the attack.

Microsoft's investigation into the headline-grabbing SolarWinds cyberattack continues, with more information coming to light regarding the attackers' intentions.

The attack, referred to as Solorigate by Microsoft (and Sunburst by cybersecurity firm FireEye), claimed numerous high-profile targets, particularly US government departments.

Microsoft Reveals Suspected SolarWinds End-Goal

As if claiming scalps such as the US Treasury and the Departments of Homeland Security, State, Defence, Energy, and Commerce wasn't enough, a recent Microsoft Security blog indicates that the attack's actual target was cloud storage assets.

The attackers gained access to the target networks using a malicious SolarWinds Orion update. Having previously compromised SolarWinds and inserted malicious files into a software update, the attackers were granted complete access to the network when the update installs.

Once inside, the attackers have "little risk of detection because the signed application and binaries are common and considered trusted."

Because the risk of detection was so low, the attackers could take their pick of targets. With the backdoor installed, attackers could take their time figuring out the value of continuing to explore the network, leaving "low-value" networks as a fallback option.

Microsoft believes the attackers' final motive was to use "the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens."

SAML (Security Assertion Markup Language) tokens are a type of security key. If the attackers could steal the SAML signing key (like a master key), they could create and validate security tokens they create, then use those self-validated keys to access cloud storage services and email servers.

With the ability to create illicit SAML tokens, the attackers can access sensitive data without having to originate from a compromised device or be confined to on-premises persistence. By abusing API access via existing OAuth applications or service principals, they can attempt to blend into the normal pattern of activity, most notably apps or service principals.

NSA Agrees on Authentication Abuse

Earlier in December 2020, the National Security Agency released an official Cybersecurity Advisory [PDF] titled "Detecting Abuse of Authentication Mechanisms." The advisory very much corroborates Microsoft's analysis that the attackers wanted to steal SAML tokens to create a new signing key.

The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.

Both the Microsoft Security blog and the NSA Cybersecurity Advisory contain information on hardening network security to protect against the attack, as well as how network administrators can spot any signs of infiltration.