Microsoft has flagged increased activities from what it describes as a sophisticated threat actor that is focused on high-value targets such as government agencies and cyber security companies.
“We believe this is nation-state activity at significant scale, aimed at both the government and private sector,” Microsoft Threat Intelligence Centre distinguished engineer John Lambert said in a blog post.
“While we aren’t sharing any details specific to individual organisations, it is important for us to share greater detail about some of the threat activity we’ve uncovered over the past weeks, along with guidance that security industry practitioners can use to find and mitigate potential malicious activity,” he added.
Lambert outlined some of the specific techniques that are part of the unnamed actor’s toolkit, although the specified techniques haven’t been used in every attack, he noted. They include an intrusion through malicious code in the SolarWinds Orion product, which has recently been revealed as the subject of an attack by an ‘outside nation state’.
“This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files,” Lambert said.
SolarWinds on 14 December revealed it had been made aware that its systems had experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1.
“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” the company said in a statement.
SolarWinds subsequently asked customers using the relevant products for its Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.
According to Lambert, the actor’s toolkit also includes a process whereby an intruder uses administrative permissions acquired through an on-premises compromise to gain access to an organisation’s trusted Security Assertion Markup Language (SAML) token-signing certificate.
“This enables them to forge SAML tokens that impersonate any of the organisation’s existing users and accounts, including highly privileged accounts,” he said.
Moreover, the toolkit features anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources as well as against any cloud environment because they have been configured to trust the certificate.
“Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organisation,” Lambert said.
The toolkit also includes the use of highly-privileged accounts, letting attackers potentially add their own credentials to existing application service principals, enabling them to call application programming interfaces (APIs) with the permission assigned to that application.
Lambert noted that, because of the sophistication of the techniques and operational security capabilities of the unnamed actor, Microsoft wanted to encourage greater scrutiny by the broader community.
“As we recommend to our customers, we are also actively looking for indicators in the Microsoft environment and, to date, have not found evidence of a successful attack,” he said.