A fourth malware strain wielded by the SolarWinds attackers has been detailed by Symantec researchers, followed by the disclosure of the attackers’ ingenous lateral movement techniques and the release of an auditing script by FireEye researchers that organizations can use to check their Microsoft 365 tenants for signs of intrusion.
Then, on Tuesday, Malwarebytes CEO Marcin Kleczynski disclosed that the same attackers targeted and breached the company, but not through the compromised SolarWinds Orion platform (which they don’t use).
“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he said.
A new malware strain: Teardrop
On Monday, Symantec shared the result of their analysis of Raindrop, a loader that, similarly to the Teardrop backdoor, delivers a customized Cobalt Strike Beacon.
Unlike Teardrop, which was delivered by the initial Sunburst (Solorigate) backdoor, Raindrop was used for spreading across the victim’s network and there is no evidence to date of it being delivered directly by Sunburst.
“Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” the researchers shared.
Symantec has released indicators of compromise (IOCs) and YARA rules that can come in handy to defenders.
Techniques used by the attackers
FireEye is the firm that first uncovered the activities of the SolarWinds hackers and has visibility in many intrusions perpetrated by them, allowing them to detail several methodologies used by attackers (and other threat actors) to move laterally from targets’ on-premises networks to the Microsoft 365 cloud.
- Stealing the Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users (aka a Golden SAML attack)
- Modifying or adding trusted domains in Azure AD to add a new federated Identity Provider (controlled by the attackers)
- Compromising the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles (e.g., Global Administrator or Application Administrator)
- Backdooring an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application (e.g., the ability to read email, send email as an arbitrary user, access user calendars, etc.)
FireEye subsidiary Mandiant has published a paper detailing thoroughly these techniques, as well as detection and remediation advice/strategies. They’ve also released Azure AD Investigator, a PowerShell tool for detecting artifacts that may be indicators of these techniques having been leveraged against organizations.
CISA has also previously detailed some of these techniques, offered advice on detection methods and pointed to various tools available to detect recent domain authentication or federation modifications, detect new and modified credentials applied to applications and service principals, gather data from O365 and Azure for security investigation, help organizations analyze permissions in their Azure AD tenant and service configuration, etc.
Malwarebytes CEO Marcin Kleczynski said that the company has been breached by the same nation-state attackers that hit and compromised SolarWinds, but that they didn’t gain access through a compromised SolarWinds Orion installation.
CISA has previously published a security alert in which it said that “the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.”
“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” Kleczynski shared.
“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”
A more thorough investigation revealed that their source code, build and delivery processes, as well as their internal on-premises and production environments haven’t been tampered with.
Kleczynski did not identify the “dormant email protection product” the attackers exploited.