You’d have to have been living under a metaphorical rock to have missed news of the sophisticated malware that exposed SolarWinds to a supply chain cyber attack. By exploiting vulnerabilities in the SolarWinds Orion IT monitoring platform, this malware enabled threat actors to infiltrate it and then move laterally to attack Microsoft Azure. Once inside, they were then able to manipulate the Azure Active Directory, hijack existing cloud service accounts, create new accounts, and assign themselves elevated access permissions to go anywhere. This not only exposed their customers’ network monitoring servers, but opened the door to compromise subsequent users of the cloud software ecosystem.
This article attempts to explain the role of privileged credentials in exploiting the vulnerability in SolarWind’s platform that led to a cyber attack. As well as to guide enterprises in what to do to avoid a similar fate.
Where Do Accounts and Access Fit into the Modern Threat Lifecycle?
Securing a ‘foothold’ or a repeatable exploit vector within a victim’s environment by abusing vulnerabilities like the SolarWinds backdoor is just the first stage of cyber attack.
Follow-up stages include internal reconnaissance (discovery of enterprise security tools, people and environments) that is conducted with the objective of finding additional security soft spots and then embedding deeper into the compromised environment by branching out. In this incident, for instance, lateral movement was assuredly not limited to breaching Azure. Given the skillset of these attackers, they would have targeted and exploited additional cloud services.
Where accounts and access fit into the attack lifecycle is in the reconfiguration of core cloud environment settings, rendering cybersecurity defenses ineffective (turning off two-factor authentication, adding certificates to accept attacker communications, deleting log events, etc.), and in the ability to harvest credentials from trusted communications and routes. Such powerful exploits launched from a privileged account with privileged access would typically be overlooked as routine or normal.
Tactics and Techniques Leveraging Privileged Credentials in the SolarWinds Cyber Attack
Seizing control of privileged access was critical in the case of the SolarWinds breach. Masquerading as a standard Orion process, this cyber breach gave threat actors access to global administration accounts and trusted SAML token signing certificates. With these, perpetrators were able to easily craft and certify their own SAML tokens and add their own privileged credentials to service principals and other applications.
SolarWinds’ cloud security breach went undetected in Azure for months. Actors successfully set up new federation trusts to accept fraudulent SAML token certificates, adding x509 keys or password credentials to legitimate OAuth applications or service principals with existing Mail.Read or Mail.ReadWrite permissions to allow them to read, and presumably exfiltrate, mail content from Exchange Online via Microsoft Graph or Outlook REST. Nobody noticed, because effectively obfuscated administrator privileges were hidden in logs as trusted actions.
5 Key Access Security Steps You Should Take Right Now
There are five key steps that organizations can take to minimize their privilege attack surface, begin building a zero trust model for cloud access, and prevent themselves from becoming the next SolarWinds:
- Audit High Value Assets and High Risk Cloud Accounts – Identify all high value assets, their supporting infrastructure, as well as the high-risk accounts and roles across organization that might place them at risk. High risk accounts are those with permissions identified as having a potentially negative impact on the business in the case of an incident or breach. This can be done most effectively using a cloud privileged access management solution that gives you multi-cloud discovery and visibility in a single pane of glass. It should also be capable of routine scanning of all accounts, groups and permissions, to highlight potentially high-risk objects.
- Enforce Zero Standing Privileges for All Accounts – Deploy a cloud privileged access management solution that can grant Just in Time (JIT) access privileges. Conversely, it should be able to expire those privileges automatically upon session completion.
- Enforce Least Privilege Access – Right sizing roles is also an important feature of a cloud privileged access management solution. That’s your platform’s ability to leverage machine learning to recognize user behavior aligned with roles and recommend and grant only the level of permissions necessary to do their job. This mitigates the risk of a “policy monitor” role holding the master key to the corporate kingdom.
- Uncover Obfuscated Cloud Permissions – Generate and review regular automated reports on “high risk” Account, Group, and Permission modifications to uncover obfuscated permissions This should be done using a dynamic permissioning platform that leverages a SIEM (or similar) solution.
- Always Implement 2FA – Two Factor Authentication using strong factors such as hardware tokens should always be used on all privileged accounts.
Are You at Risk of a SolarWinds Type Cyber Attack?
To determine this, you should ask yourself the following three questions:
- Do I have complete visibility of all access and permissions across the business?
- Am I confident that no person or machine ID in my environment is over-privileged?
- Am I able to integrate reporting on high-risk accounts, groups, and users into a SIEM or similar solution, to reduce the risk of obfuscated permissions?
Where it’s not possible to lock attackers out entirely, it IS possible to mitigate cyber attacks through establishing a zero trust model, preferably an automated one based on intelligent IAM software. If you didn’t answer yes to all of the questions above, your next step should be to consider adopting an IAM zero trust model.
Want to learn how Britive can help you build a Zero Trust model? Request a demo NOW
For more on securing the software supply chain. (Cloud Security Alliance) Click Here
For additional cloud privilege management best practices, Click Here.
For info on the impact of the breach on the US Government (CRN) Click Here