[ad_1]
The variety of techniques used by SolarWinds hackers was sophisticated but in many ways equally ordinary and avoidable, according to Microsoft.
To avoid future attacks of similar levels of sophistication, Microsoft recommends that organizations adopt a “zero trust mentality,” which rejects the assumption that anything inside a computer network is safe. In other words, organizations must take responsibility for the breach and explicitly verify the security of user accounts, endpoints, network, and other resources.
Also: Best VPNs • Better security keys • Best antivirus
As Microsoft’s director of identity security Alex Weinert noted in a blog post, the top three attack vectors were compromised user accounts, compromised vendor accounts, and compromised vendor software.
Thousands of businesses have been affected by the SolarWinds breach, which was revealed in mid-December. The hackers, known as UNC2452 / Dark Halo, have targeted SolarWinds’ Orion software build environment, tampering with the process when a program is compiled from source code to a binary executable deployed by customers.
US security provider Malwarebytes revealed yesterday that it is affected by the same hackers, but not through the contaminated Orion updates. Instead, hackers breached Malwarebytes by exploiting applications with privileged access to the Office 365 and Azure infrastructure, giving attackers “access to a limited subset” of internal Malwarebytes emails.
According to Weinert, attackers exploited “explicit verification” loopholes in each of the main attack vectors.
“When user accounts have been compromised, known techniques such as password spraying, phishing or malware have been used to compromise the user’s credentials and have given the attacker critical access to the customer’s network, ”Weinert writes.
He argues that cloud-based identity systems like Azure Active Directory (Azure AD) are more secure than on-premises identity systems because the latter lack cloud-based protections like password protection. Azure AD to eliminate weak passwords, recent advancements in password sputter detection, and improved AI for account compromise prevention.
In cases where the actor was successful, Weinert notes that highly privileged vendor accounts did not have additional protections like multi-factor authentication (MFA), IP range restrictions, device compliance, or reviews. access. Microsoft has found that 99.9% of the compromised accounts it tracks each month do not use multi-factor authentication.
MFA is an important control as compromised high privilege accounts could be used to forge SAML tokens in order to access cloud resources. As the NSA noted in its warning following the disclosure of the SolarWinds hack: “If malicious cyber actors are unable to obtain a non-local signing key, they will attempt to gain sufficient administrative privileges within the cloud client to add malicious certificate trust relationship. to forge SAML tokens. “
This attack technique could also be thwarted if there were stricter permissions on user accounts and devices.
“Even in the worst-case scenario of SAML token forgery, excessive user permissions and missing network policy and device restrictions allowed attacks to progress,” Weinert notes.
“The first principle of Zero Trust is to explicitly verify – be sure to extend this verification to all access requests, even those from vendors and especially those from on-premises environments.”
The Microsoft veteran finally recalls why the less privileged access is essential to minimize the opportunities of an attacker to move laterally once inside a network. This should help compartmentalize attacks by restricting access to an environment from a compromised user, device, or network.
With Solorigate – the name Microsoft uses for the SolarWinds malware – attackers “took advantage of extended role assignments, permissions that exceeded role requirements, and in some cases, abandoned accounts and applications that didn’t. shouldn’t have had any clearances at all, “Weinert notes.
Weinert admits that the SolarWinds hack was a “really significant and advanced attack,” but the techniques they used can be significantly reduced in risk or mitigated with these best practices.
[ad_2]
Source link