If a third-party service can authenticate against Azure AD rather than ADFS, the ability for an attacker to spoof the identity is reduced. Moving from ADFS to cloud-based authentication using password hash synchronisation (PHS) or pass-through authentication (PTA) is critical. Once in that service, they could add in their own IDP, create additional accounts or anything else that a system administrator might do. This break may allow the attacker to spoof the identity of any individual and access a third-party service. So, why did I mention federation earlier? Well, one of the issues with the SolarWinds attack was the potential for an on-premises ADFS service to be broken. This monitoring and reporting should be put in place as soon as possible to ensure that any services you add are not communicating with outside systems that they shouldn’t be. However, if the system starts to reach out to other services – ones that have not been disclosed by the vendor – then an alert should be raised, and the communications blocked. It may contact an external server, perhaps to validate a license or check for updates, but these external access points should be documented and provided as part of an allow list. When management software is installed, it should communicate internally, collating data from servers and systems to do its job. As with other attacks, the communications from the malware to its host can be monitored and reported on. Just because a third-party provides a security function doesn’t mean that you can take them at face value. In the past, federated authentication has been used to provide security and single sign-on to external services and was recommended by organisations like the NCSC. Why is federated authentication an issue? When this attack was being investigated, it showed that there was an opportunity for the attacker to access the federation services on-premises and use these to attack other services that used the federation for authentication. Since the initial disclosure, MimeCast, Malwarebytes, Palo Alto Networks, Qualys, and Fidelis have all reported that they were targeted following the breach. December 12 2020: Solarigate supply chain attack disclosed.Įxamining the attack shows a very careful approach that involves deliberate delays before the real breach began.June 4 2020: Attackers remove malware from SolarWinds build environment. May 2020: Estimated start of hands-on-keyboard attacks and activation of TEARDROP.March – May 2020: Estimated start of Solarigate backdoor distribution, SUNBURST and target-profiling.February 20 2020: Solarigate backdoor is compiled and deployed.September 12 – November 4 2019: Attackers inject test code.September 4 2019: Attackers start accessing SolarWinds.The timeline is extensive and has been traced back as far as September 2019. This was not a quick, smash and grab breach but a long-term, planned, patient attack. As the core software is updated, the malware is installed and starts to send details out to the attackers. With SolarWinds, this became the dispersal method for the attack. Typically, organisations are encouraged to patch servers regularly and keep them up to date. This means that their systems are deeply ingrained across thousands of organisations. This breach is a particular cause for concern as SolarWinds are a leading IT infrastructure supplier, spanning network, systems, database, applications, and security management. This code was then included in the distributed code from March 2020 until it was detected. SolarWinds: A quick recapĪs we now know, the attackers gained access to the SolarWinds source code and injected malicious code directly into it. I’ll also offer advice on what you can do to remove as much risk as possible from your environment by addressing how you authenticate. Instead, my aim is to get you to examine whether this style of attack is something that you can discover and react to. My aim here is not to go through the actual attack in great detail – more than enough has been written about that to keep people reading for hours. The SolarWinds breach (also known as Solarigate or Solorigate) that made headlines in December 2020 opened many eyes to the issues of indirect attacks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |