Microsoft is issuing guidance in the wake of a targeted cyberattack most recently aimed at parts of the US government. Microsoft’s issuance is both parts, identifying recent nation-state sanctioned attack techniques as well as giving its customer assurance that as of now, “we have not identified any Microsoft product or cloud service vulnerabilities in these investigations.”
According to a post on a company blog title Important steps for customers to protect themselves from recent nation-state cyberattacks, Microsoft list the following techniques that have been used by nefarious agents to conduct the relatively recent sophisticated cyberattacks.
- An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory.
- An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token- signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
- Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.
- Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.
While the above are highlights mentioned by Microsoft in this particular post, the company’s full 2020 Digital Defense Report goes further in-depth discussing specific criminal groups, their activity during the COVID-19 pandemic, and a community approach to cybersecurity among other things. Even as Microsoft attempts to become a proprietor of cybersecurity, the company acknowledges that its efforts are, “only a small piece of what’s needed to address the challenge.”
