DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on

2

FireEye announces technical details of SolarWinds hacker and provides free detection tools

In the latest white paper released on Wednesday, FireEye warned that in SolarWinds supply chain attacks, hackers (identified by the US Intelligence Service and Computer Security Agency as the Russian national hacker organization) specifically targeted two types of people: people and systems that have access to advanced information administrator.

The report introduces four "main techniques" used by hackers:

  • Steal the Active Directory Federation Service (AD FS) token signing certificate and use it to forge tokens for any user, thereby bypassing various authentication requirements.

  • Modify or add trusted domains in Azure AD to add a new federated identity provider (IdP) controlled by the attacker to create a backdoor on the network.

  • Hacking into highly privileged local user accounts synchronized with Microsoft 365 (for example, global administrators or application administrators).

  • Perform backdoor operations on existing Microsoft 365 applications by adding new applications or service principal accounts to use the legal permissions assigned to the application, such as being able to read emails, send emails as any user, and access User calendar, etc.

As for mitigation measures, FireEye extensively recommends reviewing all system administrator accounts, especially to see if there are any "accounts that have been configured or added to a specific service principal" and delete them, then search for suspicious application credentials and delete them. The company has also released a free detection tool called "Azure AD Investigator" on GitHub ( https://github.com/fireeye/Mandiant-Azure-AD-Investigator ), which can detect whether the corporate network is affected by SolarWinds Orion's backdoor software invaded.

Reference
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452:
https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay