Following the significant security breach related to malicious cyber actors initially detected in the SolarWinds Orion platform, security agencies around the world are warning users about the networks compromised and the loopholes that pose a grave risk to federal, state, local and territorial government organizations, as well as critical infrastructure entities and other private sector organizations.
The National Security Agency (NSA) announced that to defend against the latest tactics, techniques and procedures (TTPs), cloud tenants must lock down tenant SSO configuration and service principal usage, as well as harden the systems that run on-premises identity and federation services.
Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services, NSA said. Single sign-on (SSO) is an authentication method that allows users to securely authenticate multiple applications and websites by using one set of credentials.
The SolarWinds security breach can be divided into two TTPs. In the first one, the hackers compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens, NSA said in a cybersecurity advisory on Monday. Using private keys, the intruders then forge trusted authentication tokens to access cloud resources.
In a variation of this TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.
In the second TTP method, the attackers leverage a compromised global administrator account to assign credentials to cloud application service principals, and then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more be noticed as suspicious, NSA added.
The U.K’s security agency, National Cyber Security Centre (NCSC), notified its users about the potential dangers of the cyberthreat that has been able to add a malicious, unauthorised modification to SolarWinds Orion products, which allows them to send administrator-level commands to any affected installation.
“This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact,” said Paul Chichester, NCSC’s director of operations, in a statement on Monday. “That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact. The NCSC is working to mitigate any potential risk, and actionable guidance has been published to our website. We urge organisations to take immediate steps to protect their networks – and will continue to update as we learn more.”
The Cybersecurity and Infrastructure Security Agency (CISA) updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion platform. Specifically, “we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” it said on Saturday.
CISA is working to confirm initial access vectors and identify any changes to the TTPs, and will update as new information on the security breach becomes available, according to the U.S. based security agency.
Last week, CISA issued Emergency Directive 21-01, following a known security breach affecting SolarWinds Orion products. The Emergency Directive advised all federal civilian agencies to review their networks for indicators of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately.
The U.S. Department of Energy (DOE) said that it has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the Department, including the National Nuclear Security Administration (NNSA).
When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network, said Shaylyn Hynes, DOE spokeswoman in a press statement. “The investigation is ongoing and the response to this incident is happening in real time.”
As part of its ongoing response, the DOE has been in constant communication with industry partners, including the leadership of the energy sector Subsector Coordinating Councils, and is also in regular contact with the Electricity, Oil & Natural Gas (ONG), and Downstream Natural Gas (DNG) Information Sharing and Analysis Centers (ISAC).
Security company Xage believes that the impact of the SolarWinds security breach could have been avoided with a security architecture grounded in zero trust. “Rather, it would have limited communications to known and authenticated entities—regardless of whether they were coming from a trusted network—and would have blocked access to the hacker-controlled DNS server,” the company said in a blog post on Tuesday.