By John P. Desmond, AI Trends Editor
The SolarWinds hackers appeared to have targeted cloud services as a key objective, potentially giving them access to many, if not all, of an organization’s cloud-based services.
This is from an account in GeekWire written by Christopher Budd, an independent security consultant who worked previously in Microsoft’s Security Response Center for 10 years.
“If we decode the various reports and connect the dots we can see that the SolarWinds attackers have targeted authentication systems on the compromised networks, so they can log in to cloud-based services like Microsoft Office 365 without raising alarms,” wrote Budd. “Worse, the way they’re carrying this out can potentially be used to gain access to many, if not all, of an organization’s cloud-based services.”
The implication is that those assessing the impact of the attacks need to look not just at their own systems and networks, but also at their cloud-based services for evidence of compromise. And it means that defending against attacks means increasing the security and monitoring of cloud services authentication systems, “from now on.”
Budd cited these key takeaways:
- After establishing a foothold in a network, the SolarWinds attackers target the systems that issue proof of identity used by cloud-based services; and they steal the means used to issue IDs;
- Once they have this ability, they are able to create fake IDs that allow them to impersonate legitimate users, or create malicious accounts that seem legitimate, including accounts with administrative access;
- Because the IDs are used to provide access to data and service by cloud-based accounts, the attackers are able to access data and email as if they were legitimate users.
SAML Authentication Method for Cloud Services Seen Targeted
Cloud-based services use an authentication method called Security Assertion Markup Language (SAML), which issues a token that is “proof” of the identity of a legitimate user to the services. Budd ascertained, based on a series of posts on the Microsoft blog, that the SAML service was targeted. While this type of attack was first seen in 2017, “This is the first major attack with this kind of broad visibility that targets cloud-based authentication mechanisms,” Budd stated.
In response to a question Budd asked Microsoft, on whether the company learned of any vulnerabilities that led to this attack, he got this response: “We have not identified any Microsoft product or cloud service vulnerabilities in these investigations. Once in a network, the intruder then uses the foothold to gain privilege and use that privilege to gain access.”
A response from the National Security Administration was similar, saying the attackers, by “abusing the federated authentication,” were not exploiting any vulnerability in the Microsoft authentication system, “but rather abusing the trust established across the integrated components.”
Also, although the SolarWinds attack came through a Microsoft cloud-based service, it involved the SAML open standard that is widely used by vendors of cloud-based services, not just Microsoft. “The SolarWinds attacks and these kinds of SAML-based attacks against cloud services in the future can involve non-Microsoft SAML-providers and cloud service providers,” Budd stated.
American Intelligence Sees Attack Originating with Russia’s Cozy Bear
American intelligence officials believe the attack originated from Russia. Specifically, according to a report from The Economist, the group of attackers known as Cozy Bear, thought to be part of Russia’s intelligence service, were responsible. “It appears to be one of the largest-ever acts of digital espionage against America,” the account stated.
The attack demonstrated “top-tier operational tradecraft,” according to FireEye, a cyber-security firm that also was itself a victim.
America has tended to categorize and respond to cyber-attacks happening over the last decade according to the aims of the attackers. It has regarded intrusions intended to steal secrets—old-fashioned espionage—as fair game that the US National Security Agency is also engaged in. But attacks intended to cause harm, such as the North Korea assault on Sony Pictures in 2014, or China’s theft of industrial secrets, are viewed as crossing a line, the account suggested. Thus, sanctions have been imposed on many Russian, Chinese, North Korean and Iranian hackers.
The Solar Winds attack seems to have created its own category. “This effort to stamp norms onto a covert and chaotic arena of competition has been unsuccessful,” the Economist account stated. “The line between espionage and subversion is blurred.”
One observer sees that America has grown less tolerant of “what’s allowed in cyberspace” since the hack of the Officer of Personnel Management (OPM) in 2015. That hack breached OPM networks and exposed the records of 22.1 million related to government employees, others who had undergone background checks, and friends and family. State-sponsored hackers working on behalf of the Chinese government were believed responsible.
“Such large-scale espionage “would be now at the top of the list of operations that they would deem as unacceptable,” stated Max Smeets of the Centre of Security Studies in Zurich.
“On-Prem” Software Seen as More Risky
The SolarWinds Orion product is installed “on-prem,” meaning it is installed and run on computers on the premises of the organization using the software. Such products carry security risks that IT leadership needs to carefully evaluate, suggested a recent account in eWeek.
The SolarWinds attackers apparently used a compromised software patch to gain entry, suggested William White, security and IT director of BigPanda, which offers AI software to detect and analyze problems in IT systems. “With on-prem software, you often have to grant elevated permissions or highly privileged accounts for the software to run, which creates risk,” he stated.
Because the SolarWinds attack was apparently executed through a software patch, “Ironically, the most exposed SolarWinds customers were the ones that were actually diligent about installing Orion patches,” stated White.