In the latest white paper released on Wednesday, FireEye warned that in SolarWinds supply chain attacks, hackers (identified by the US Intelligence Service and Computer Security Agency as the Russian national hacker organization) specifically targeted two types of people: people and systems that have access to advanced information administrator.
The report introduces four "main techniques" used by hackers:
Steal the Active Directory Federation Service (AD FS) token signing certificate and use it to forge tokens for any user, thereby bypassing various authentication requirements.
Modify or add trusted domains in Azure AD to add a new federated identity provider (IdP) controlled by the attacker to create a backdoor on the network.
Hacking into highly privileged local user accounts synchronized with Microsoft 365 (for example, global administrators or application administrators).
Perform backdoor operations on existing Microsoft 365 applications by adding new applications or service principal accounts to use the legal permissions assigned to the application, such as being able to read emails, send emails as any user, and access User calendar, etc.
As for mitigation measures, FireEye extensively recommends reviewing all system administrator accounts, especially to see if there are any "accounts that have been configured or added to a specific service principal" and delete them, then search for suspicious application credentials and delete them. The company has also released a free detection tool called "Azure AD Investigator" on GitHub ( https://github.com/fireeye/Mandiant-Azure-AD-Investigator ), which can detect whether the corporate network is affected by SolarWinds Orion's backdoor software invaded.
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452: