Toward the end of 2020, a team of sophisticated cyber attackers, most likely funded by a hostile nation-state, inserted malware into the SolarWinds network monitoring and management platform. The announcement of this SolarWinds security breach sent shockwaves through business and IT communities.
The attackers’ ultimate goal was to use this malware as a backdoor into SolarWinds customers’ networks, including multiple U.S. government agencies, certain branches of the U.S. military, and many high-profile private companies.
The SolarWinds supply chain attack was the most successful and devastating cyberattack in history – but the story isn’t over yet. We’re still learning more about the techniques used by the attackers, the damage caused, and the repercussions for the future of cybersecurity.
In one of the most concerning revelations so far, researchers at Fire Eye subsidiary Mandiant released a report detailing how the attackers exploited several Microsoft 365 security vulnerabilities to hack into the SolarWinds infrastructure. This is an important discovery because so many companies have recently migrated their data and many of their essential applications to the cloud via Microsoft 365.
Let’s take a look at what the Mandiant report reveals about how the SolarWinds attackers targeted Microsoft 365 vulnerabilities and the lessons you can learn to help keep your company networks secure.
Understanding the four methods used to breach the Microsoft 365 cloud
1. Forged Active Directory Federation Services (AD FS) tokens
To infiltrate the SolarWinds network, attackers stole AD FS token-signing certificates from on-premise servers and used them to forge authentication tokens. The generated tokens could be assigned to any user the attackers chose and used to access resources like Microsoft 365 without entering a password or triggering any multi-factor authentication (MFA) processes.
2. Modified trusted domains in Azure AD
Attackers modified or added trusted domains in Azure AD. This method, also known as the Azure AD backdoor, allowed them to add a federated identity provider to forge tokens and assign them how they wished.
3. Compromised credentials for privileged accounts
The SolarWinds attackers targeted privileged on-premise user accounts for IT administrator roles. These accounts were synced to Microsoft 365, so attackers could use them to move from on-premise to the cloud-based environment.
4. Hijacked Microsoft 365 applications using forged credentials
Once the attackers had forged credentials, they added them to existing Microsoft 365 applications. This allowed them to bypass MFA procedures and hijack the applications’ abilities to send messages and access sensitive company data.
Four lessons cybersecurity teams can learn from the SolarWinds Microsoft 365 cloud attack
1. Your network is only as secure as the weakest member of your supply chain.
The SolarWinds attack has opened our eyes to the devastating effects of a successful supply chain attack. The government agencies and other real targets of the attack were too well protected, so the attackers opted to go after their trusted vendors. This backdoor attack was amazingly successful. It is a sobering reminder that working with vendors and partners to secure the entire supply chain should be a vital part of your cybersecurity strategy.
2. MFA isn’t enough to keep you safe.
MFA is rightly acclaimed as a crucial part of securing your company network, but it’s not a magic formula that stops all cybersecurity attacks. The SolarWinds attack has clearly shown that a keen and determined attacker can bypass MFA. Your team should look beyond MFA and make sure that both your on-premise and cloud environments are properly secured and hardened.
3. Remediation and hardening go hand in hand.
When a cyber-attack is detected, the first step is to regain control of your environment and kick the attackers out by doing remedial actions like issuing new authentication tokens, removing suspicious domains, and rotating passwords. These steps are necessary, but they’re insufficient if you don’t follow them up with hardening measures to ensure long-term security. You and your team must stay up to date on the most recent recommendations for hardening both on-premise and cloud environments and take proactive steps to implement them.
4. You need a detailed cloud security plan.
Many IT teams have taken a simplified approach to cloud security. They’ve set up their environment, enabled a few password and MFA policies, and then migrated their critical data and mission-critical applications to the cloud. If that sounds like your company’s approach, let the SolarWinds Microsoft 365 breach motivate you to take the time to lock down your Microsoft 365 environment fully. Your company’s security depends on it.
Do you have a plan for Microsoft 365 security?
Microsoft 365 has quickly become essential to many companies’ operations, especially in the current remote work environment. The chances are high that much of your company’s most valuable data is stored in your Microsoft 365 cloud.
That’s a tempting target for cybercriminals trying to access your network for a direct attack or as part of a supply chain attack. The vulnerabilities that enabled the SolarWinds attackers to breach the Microsoft 365 cloud still exist, but there are strategies to mitigate the risk and keep your data safe.
Companies have spent years securing their on-premise environments. Keeping cloud-based environments secure requires the same level of effort and additional work to ensure that there are no vulnerabilities that would enable attackers to move between the two. You also need to stay up to date on all the latest attack methods and the hardening measures to combat them.
That’s where an experienced cybersecurity consultant can make a difference. At designDATA, our business aims to understand how to keep our clients’ IT environments safe and secure. If you want to understand better your risk and the steps your team can take to secure your Microsoft 365 environment, schedule a consultation with one of our experts. We’ll be happy to help prepare your team so that you feel confident that your business won’t fall victim to the techniques used in the SolarWinds attack.