With the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks.
Today's FireEye report comes as the security firm has spearheaded investigations into the SolarWinds supply chain compromise, together with Microsoft and CrowdStrike.
The SolarWinds hack came to light on December 13, 2020, when FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.
The malware, known as Sunburst (or Solorigate), was used to gather info on infected companies. Most of the 18,000 SolarWinds customers who installed a trojanized version of the Orion app were ignored. Still, for some selected targets, the hackers deployed a second strain of malware known as Teardrop. They then used several techniques to escalate access inside the local network and the company's cloud resources, focusing on breaching Microsoft 365 infrastructure.
In its 35-page report, FireEye has detailed these post initial compromise techniques, along with detection, remediation, and hardening strategies that companies can apply.
Summarized, they are as follows:
- Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user's password or their corresponding multi-factor authentication (MFA) mechanism.
- Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
- Compromise the credentials of on-premises user accounts synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
- Highjack an existing Microsoft 365 application by adding a rogue credential to it to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc., while bypassing MFA.
"While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible," FireEye said.
FireEye's ability to detect these techniques inside its network led to the company investigating an internal breach and then discovering the broader SolarWinds incident.
Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT).