The US Cybersecurity and Infrastructure Security Agency (CISA) said today that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn’t always rely on trojanized updates as its initial access vector.
The new developments come as CISA said last month in its initial advisory on the SolarWinds incident that it was investigating cases where the SolarWinds hackers breached targets that didn’t run the SolarWinds Orion software.
Also: Best VPNs
While no details were provided at the time, in an update to its original advisory posted this week, CISA said it finally confirmed that the SolarWinds hackers also relied on password guessing and password spraying as initial access vectors.
“CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133],” the agency said on Wednesday.
Once threat actors gained access to internal networks or cloud infrastructure, CISA said the hackers, believed to be Russian in origin, escalated access to gain administrator rights and then moved to forge authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources inside a company’s network, without needing to provide valid credentials or solve multi-factor authentication challenges.
In a report published on December 28, Microsoft said the threat actor’s primary goal was to gain access to cloud-hosted infrastructure, which in many cases was the company’s own Azure and Microsoft 365 environments.
CISA releases Microsoft cloud-specific guidance
To help victims deal with these “to-cloud” escalations, CISA has also published a second advisory today with guidance on how to search Microsoft-based cloud setups for traces of this group’s activity and then remediate servers.
CISA said the guidance is “irrespective of the initial access vector” that the SolarWinds hackers leveraged to gain control of cloud resources and should apply even if the initial access vector was the trojanized Orion app or a password guessing/spraying attack.
The guidance also references Sparrow, a tool CISA released last year during the SolarWinds breach investigation to help victims detect possible compromised accounts and applications in the Azure Microsoft 365 environments.
Security firm CrowdStrike also released a similar tool called CST.