author photo
By Bruce Sussman
Fri | Dec 18, 2020 | 9:50 AM PST

A new US-CERT alert reveals that the nation-state actors behind the SolarWinds supply chain attack may have found another way into networks, as well.

CISA spelled this out very clearly:

"The SolarWinds Orion supply chain compromise is not [CISA's emphasis] the only initial infection vector this APT actor leveraged." 

Outlook Web App may also be leveraged in nation-state cyberattack 

Another cyberattack method for initial infection appears to involve the Outlook Web App and a stolen key. Says CISA:

"CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.

Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).

Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known."

What if the SolarWinds and SUNBURST malware part of the attack was just the outside of the onion here? Each time we pull back one layer there's another attack layer underneath. It sounds like that is possible.

CISA details 'kill switch' in SolarWinds supply chain attack

A few days after the breach, headlines talked about a "kill switch" that Microsoft and others activated to prevent new infections. CISA is now offering some specifics and warning that if your network is already infected with the SUNBURST malware, the kill switch may not stop an attack.

"Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.

SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted."

Nation-state cyber attack methodology and motive

SecureWorld previously detailed how the attackers tried to cover their tracks and blend in with expected traffic. Now, FireEye and CISA are revealing another tactic to watch for at your organization, if possible:

"While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user's normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database."

And this technique feeds into what CISA has found to be the attackers' main mission:

"The adversary's initial objectives, as understood today, appear to be to collect information from victim environments.

One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs)."

IT and cybersecurity personnel could be monitored by the attackers

It is just a single sentence in the new CISA-Advanced Persistent Threat Alert, however, it is a significant point for our security and IT readers.

If your organization has been compromised in this attack, it is possible your email account is being monitored by adversaries.

"CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel."

As a result, the U.S. government responders are essentially recommending you operate with a healthy dose of paranoia:

"...discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats."

CISA says operational security plans should include:

  • Out-of-band communications guidance for staff and leadership;
  • An outline of what "normal business" is acceptable to be conducted on the suspect network;
  • A call tree for critical contacts and decision making; and
  • Considerations for external communications to stakeholders and media.

In other words, operate as though the adversary is monitoring your typical communication channels—and use some new ones.

Read the new CISA alert.