Even as investigations into the sophisticated attack known as Solorigate are still underway, details and insights about appropriate tools, patterns, and methods used by the attackers point to steps that organizations can take to improve their defenses against similar onslaughts. Solorigate is a cross-domain compromise–comprehensive visibility and coordinated defense are critical in responding to the attack. The same unified end-to-end protection is key to increasing resilience and preventing such attacks.
This blog is a guide for security administrators utilizing Microsoft 365 Defender and Azure Defender to identify and implement security configuration and posture improvements that harden enterprise environments against Solorigate’s attempt patterns.
This blog will embrace 😛 TAGEND
The recommendations on this blog are based on our current analysis of the Solorigate attack. While this menace continue to evolve and investigations continue to unearth more information, we’re publishing these recommendations to help customers apply improvements today. To get the latest information and guidance from Microsoft, visit https :// aka.ms/ solorigate. Security operations and incident response teams looking for detection coverage and hunting counseling can refer to https :// aka.ms/ detect_solorigate.
Solorigate is a complex, multi-stage attack that involved the use of advanced attacker techniques across multiple environments and multiple realms to compromise high-profile targets. To perpetrate this sophisticated attack, the attackers performed the steps below, which are discussed in detail in this blog 😛 TAGEND
Compromise a legitimate binary belonging to the SolarWinds Orion Platform through a supply-chain attack Deploy a backdoor malware on devices applying the compromised binary to allow attackers to remotely control affected machines Use the backdoor access on compromised machines to steal credentials, escalate privileges, and move laterally across on-premises environments to gain the ability to create SAML tokens Access cloud resources to search for reports of interest and exfiltrate emails
As its intricate onslaught chain indicates, Solorigate represents a modern cyberattack conducted by highly motivated actors who have demonstrated they won’t spare resources to get to their goal. The collective intelligence about this attack shows that, while hardening someone security domains is important, defending against today’s advanced strikes necessitates a holistic understanding of the relationship between these domains and how a compromise in one environment can be a jump-off point to another.
The Microsoft Defender for Endpoint threat analytics reports published in Microsoft 365 security centre enable customers to trace such cross-domain threats by providing end-to-end analysis of critical menaces. In the case of Solorigate, Microsoft researchers have all along been wrote two threat analytics reports, which continue to be updated as additional information is currently available 😛 TAGEND
Sophisticated actor attacks FireEye, which provides information about the FireEye breach and compromised red-team tools Solorigate supply chain attack, which provides a detailed analysis of the SolarWinds supply chain compromise
In addition to providing detailed descriptions of the attack, TTPs, indicators of compromise( IoCs ), and the all-up impact of the threat to the organization, the threat analytics reports empower security administrators to review organizational resilience against the attack and apply recommended mitigations. These mitigations and other recommended best practices are discussed in the succeeding segments. Patrons who don’t have access to threat analytics can can be attributed to a publicly available customer guidance.
Protecting devices and servers
The attackers behind Solorigate gain initial access to target networks by activating backdoor codes inserted into the compromised SolarWinds binary. Protecting machines against the current stage of the attack can help prevent the more injury impact of the latter stages.
In the ongoing comprehensive research into the complex Solorigate attack, one thing remains certain: full in-depth visibility into your machines is key to gaining insights on security posture, risk, and potential attack activity. Make sure all your devices are protected and are supervised by Microsoft Defender for Endpoint.
Figure 3. Status tile in the Device configuration management tab of Microsoft Defender for Endpoint, demonstrating onboarded devices compared to the total number of devices managed via Endpoint Manager
Identify and patch vulnerable SolarWinds Orion applications
The Solorigate attack employs vulnerable versions of the SolarWinds Orion application so we recommend that you identify machines running vulnerable versions of the application and ensure they are updated to the latest version. The menace analytics report applies insights from threat and vulnerability handling to identify such devices. On the Mitigations page in Threat analytics, you can view the number of devices exposed to vulnerability ID TVM-2 020 -0 002, which we added specifically to help with Solorigate investigations 😛 TAGEND
Figure 4. The Threat analytics Mitigations page shows information on exposed devices
The new vulnerability ID TVM-2 020 -0 002 was added to the threat and vulnerability management Weaknesses page in Microsoft Defender for Endpoint so you can easily find uncovered devices that have vulnerable SolarWinds software components installed. Additional details are available in the vulnerability details pane.
Figure 5. Threat and vulnerability management vulnerability details pane for TVM-2 020 -0 002
Customers can also use the software inventory page in threat and vulnerability management to view the SolarWinds Orion versions present on endpoints in your environment and whether the vulnerable versions are present. Links to the threat analytics reports are provided under the Menace column. You can then assess the footprint of a specific software in your organization and identify the impacted devices without the need to run scans across the install base.
Security recommendations are provided to update devices running vulnerable software versions.
Security admins are also welcome to use advanced hunting to query, refine, and export data. The following query retrieves an inventorying of the SolarWinds Orion software in your organization, organized by product name and sorted by the number of machines that have software installed 😛 TAGEND
| where SoftwareVendor ==’ solarwinds’
| where SoftwareName startswith’ orion’
| summarize dcount( DeviceName) by SoftwareName
| kind by dcount_DeviceName desc
| where CveId ==’ TVM-2 020 -0 002′
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion
For each security recommendation you can submit a request to the IT administrator to remediate vulnerable devices. Doing this creates a security task in Microsoft Endpoint Manager( formerly Intune) that can be continuously tracked in security threats and vulnerability management Remediation page. To use this capability, you need to enable a Microsoft Endpoint Manager connection.
Implement recommended security configurations
In addition to providing vulnerability appraisals, Threat and Vulnerability Management also provides security recommendation guidance and device posture assessment that help mitigate this attack. These recommendations use vulnerability data that is also present in the Solorigate threat analytics report.
Component Secure configuration recommendations Attack stage
Security controls( Antivirus) Turn on real-time protection Stage 1
Applying these security controls can be accomplished use Microsoft Endpoint Manager( Intune and Configuration Manager ). Refer to the following documentation for counseling on deploying and managing policies with Endpoint Manager 😛 TAGEND
Protecting on-premises and cloud infrastructure
In addition to compromising client endpoints, attackers are also welcome to activate backdoor code via the compromised SolarWinds binary installed on cloud or on-premises servers, allowing them to gain a stronger foothold in the environment.
Protect your on-premises and cloud servers
A large part of many customers’ infrastructure are virtual machines. Azure Defender helps security professionals protect cloud workloads spanning virtual machines, SQL, storage, containers, IoT, Azure network layer, Azure Key Vault, and more.
As mentioned earlier, one of the key actions that should be taken to help prevent Solorigate and similar onslaughts is to ensure that all machines are protected and monitored by Microsoft Defender for Endpoint. Deploying Azure Defender for Servers enables Defender for Endpoint for your virtual machines to provide comprehensive detecting coverage across the Solorigate attack chain. Azure Defender’s integrated vulnerability rating answer for Azure and hybrid machines are also welcome to help address the Solorigate attack by providing visibility into vulnerability assessment findings in Azure Security Center.
Enable additional infrastructure protection and oversight matters
To help provide additional in-depth defenses against Solorigate, Azure Defender recently introduced new protection modules for Azure resources. Enabling these protections can improve your visibility into malicious activities and increase the number of Azure resources protected by Azure Defender.
Azure Defender for Resource Manager allows you to continuously monitor all Azure resource management operations and breadth in protection, which includes the ability to detect attempts to exclude known malicious files by the VM Antimalware extension and other suspicious activities that could limit antimalware protection on Azure VMs.
In addition, AzureDefender for DNS ensures that all DNS queries from Azure resources employing Azure DNS, including communications with malicious realms used in the Solorigate attack, are monitored, and aids identify Solorigate activity across any of your Azure cloud resources. This helps prevent the malicious Solorigate DLL from being able to connect to a remote network infrastructure to prepare for possible second-stage payloads.
Protect your Active Directory and AD FS infrastructure
After gaining access, attackers may attempt to steal credentials, intensify privileges, and move laterally in the environment. Having complete visibility into your Active Directory, either wholly on-premises or hosted in IaaS machines, is key in detecting these attacks and recognizing opportunities to harden security posture to prevent them.
In hybrid environments, make sure that Microsoft Defender for Identity sensor components are deployed on all your Domain Controllers and Active Directory Federation Service( AD FS) servers. Microsoft Defender for Identity not only detects malicious attempts to compromise your environment but also builds profiles of your on-premises identities for proactive investigations and provides you with built-in security appraisals. We recommend prioritizing the deployment of Microsoft Defender for Identity sensors and using the “Unmonitored domain controllers” security rating, which lists any detected domain controllers in your environment that are unmonitored.( Note: this capability can monitor your environment simply after deploying at least one sensor on a domain controller .)
Protecting Microsoft 365 cloud from on-premises attacks
The end goal of the attackers behind Solorigate is to gain access to a target organization’s cloud environment, search for reports of interest, and exfiltrate emails. From a compromised device, they move laterally across the on-premises environment, stealing credentials and intensifying privileges until they can gain the ability to create SAML tokens that they then use to access the cloud environment. Protecting cloud resources from on-premises attack can avoid the attackers from successfully achieving their long game.
Implement recommended security configurations to harden cloud posture
Further best practices and recommendations to reduce the attack surface and protect the cloud from on-premise compromise can be found in our protecting Microsoft 365 cloud from on-premises attacks blog.
Implement conditional access and session control to secure access to cloud resources
In addition to hardening the individual surfaces to disrupt and prevent the attack, extending policies to implement zero trust and access controls is key in preventing compromised or unhealthy devices from retrieving corporate assets, as well as governing cloud access from compliant devices.
Enable conditional access policies
Conditional access helps you better protect your users and enterprise information by making sure that simply secure consumers and devices have access. We recommend implementing the common recommended policies for securing access to Microsoft 365 cloud services, including on-premises applications published under Azure Active Directory( Azure AD) Application Proxy.
Additionally, you can configure user risk and device risk conditional access policies to enable access to enterprise information based on the risk level of a customer or device, helping retain trusted customers on trusted machines employing trusted applications.
Enable real-time monitoring and session control
Directly integrated with conditional access, session controls in Microsoft Cloud App Security enable extending access decisions into the session, with real-time monitoring and control over user actions in your sanctioned apps. Implement policies to prevent data exfiltration in risky situations, including blocking or protecting downloads to risky or unmanaged machines, as well as for partner customers.
Additional the proposals and best practises
Strengthen your security posture even further by reviewing all improvement activities available via Microsoft Secure Score. Secure Score helps operationalize security posture management and improve your organizational security hygiene for your production renter. Below are some of the Secure Score improvement actions for Azure Active Directory that have a direct impact against Solorigate attack patterns 😛 TAGEND
Do not allow users to grant consent to unmanaged applications Enable Password Hash Sync if hybrid Enable policy to block legacy authentication Enable self-service password reset Ensure all users can complete multi-factor authentication for fasten access Require MFA for administrative roles Turn on sign-in danger policy Turn on user danger policy Employ restriction administrative roles
In addition, you can use the identity security posture evaluation feature in Microsoft Defender for Identity to identify common protection gaps that might exist in your environment. Addressing detection gaps such as the following improves your Microsoft Secure Score and improves your overall resilience to a broader range of credential theft onslaughts 😛 TAGEND
Stop entities that are exposing credentials in cleartext, including ones that are tagged as sensitive. Attackers listen to cleartext credentials being sent over the network to harvest credentials and escalate privileges. While we have no indication that this technique was used in Solorigate, this is a general strike trend that organizations must be aware of and avoid.
Remediate reports with unsecure properties that could allow attackers to compromise them once an initial foothold in the environment is established.
Reduce risky lateral movement tracks to sensitive consumers. An attacker could move across devices to elevate to a more privileged role and operate deeper in your organization’s environment, as we’ve witnessed in the Solorigate attack.
Multiple layers of coordinated defense against advanced cross-domain assaults
Microsoft 365 Defender and Azure Defender deliver consolidated, intelligent, and automated security across domains to empower organizations to gain end-to-end threat visibility, which as the Solorigate attack has shown, is a critical security capability for all organizations to have. In addition to providing comprehensive visibility and rich investigation tools, Microsoft 365 Defender and Azure Defender help you to continuously improve your security posture as a direct consequence of insights from collective industry research or your own investigations into attacks through configurations you can attain directly in the product or in-product recommendations you can implement.
For additional information and guidance from Microsoft, refer to the following 😛 TAGEND
Customer guidance on recent nation-state cyber strikes Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack SolarWinds post-compromise hunting with Azure Sentinel Advice for incident responders on recuperation from systemic identity compromises Using Microsoft 365 Defender to protect against Solorigate
Read more: microsoft.com