The agency also highlighted new indicators of compromise and recommendations for mitigating follow on activity involving Microsoft Cloud users.
Perpetrators of a widespread, intelligence-gathering campaign used common hacker techniques to get through passwords in addition to more sophisticated methods, according to an update to the Cybersecurity and Infrastructure Security Agency’s alert.
“CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services,” reads the activity alert updated Wednesday.
CISA notes that the activity alert does not in any way supersede its emergency directive and is not formal guidance but the document provides additional context for remediation efforts.
For example, one way hackers were able to gain unauthorized access to government systems was via the IT management company SolarWinds. They injected malware into an update the company distributed to thousands of its customers which then established a command and control pathway to an external server. But CISA found cases where tactics, techniques and procedures used by the SolarWinds hackers were used on systems where that software was not leveraged.
“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section),” the update reads. “Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified.”
The targeting of passwords directly was one of these other initial access vectors, CISA said. SolarWinds itself reportedly used a password for its update server that anyone could guess. CISA referred organizations to the National Security Agency’s cybersecurity advisory on detecting abuse of authentication systems. That agency has also recommended using strong passwords to defend against suspected Russian hackers using such tactics.
CISA also pointed to research from the firm Volexity, which had publicly reported observations of what is believed to be the same threat actor using a stolen secret key in order to get around a Duo multifactor authentication mechanism guarding Outlook Web App.
“Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two,” CISA wrote. “This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.”
CISA said it will continue to investigate other ways the hackers may have been able to gain initial access to networks.
For organizations that did install compromised versions of the SolarWinds Software—even if the hidden malware wasn’t exploited to create an outside connection—CISA’s advice includes ensuring “that all logs from the host [operating system], SolarWinds platform, and associated network logs are being captured and stored for at least 180 days in a separate, centralized log aggregation capability.”
In the case of some organizations, once adversaries gained initial access, they proceeded to spread out through networks, including through Microsoft cloud environments. Microsoft acknowledged the tainted SolarWinds code was in their environment following news reports.
“CISA has observed the threat actor adding authentication credentials, in the form of assigning tokens and certificates, to existing Azure/Microsoft 365 (M365) application service principals,” CISA said. “These additional credentials provide persistence and escalation mechanisms and a programmatic method of interacting with the Microsoft Cloud tenants (often with Microsoft Graph Application Programming Interface [API]) to access hosted resources without significant evidence or telemetry being generated.”
The stealthy adversary uses these additional credentials to move laterally, undetected through victim networks as “such individual access is normal and not logged in all M365 licensing levels,” CISA said, advising organizations to look out for unusual activity to detect such tactics.
“Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties,” CISA said. “For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.”
If organizations do detect this level of compromise to their systems, CISA says it is best to just start over and be prepared for a long and complicated slog.
“In such cases, organizations should consider the entire identity trust store as compromised,” the alert reads. “In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”
CISA said in cases where organizations see beacons calling out to separate domain or IP addresses, including but not limited to avsvmcloud[.]com—traffic to that adversary-associated domain has since been re-routed to one that is blocked—organizations should also assume they have been compromised. Recovery and remediation of such activity will also require “a complex reconstitution and mitigation plan, which may include comprehensively rebuilding the environment,” the agency said.