![]() In this case, a flaw in Azure Active Directory first exposed in 2019, which allows one to escalate privileges by assigning credentials to applications, giving backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph. UNC2452 is known to use additional means besides Solorigate/Sunburst to compromise high-value targets leveraging admin or service credentials. The investigators found UNC2452 exploited a dormant email protection product within its Office 365 tenant that gave it access to a “limited subset” of internal emails – note that it does not use Azure cloud services in its production environments. Malwarebytes first learned of suspicious activity, consistent with the tactics, techniques and procedures (TTPs) of UNC2452, from a third-party application within its Microsoft Office 365 tenant from Microsoft’s Security Response Centre on 15 December 2020.Īt that point, it activated its own incident response procedures and engaged assistance from Microsoft to investigate its cloud and on-premise environments for activity related to the application programming interface (API) calls that triggered the alert. We found no evidence of unauthorised access or compromise in any of our internal on-premise and production environments.” ![]() “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” he wrote. In a message disclosing the incident, Malwarebytes CEO Marcin Kleczynski said that there was no doubt the company was attacked by the same gang. The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.The group, which has been dubbed UNC2452, also turned over FireEye – the initial incident that led investigators to the SolarWinds compromise – and a number of other tech firms, however, its compromise of Malwarebytes was not carried out via SolarWinds, as the two firms do not have a relationship. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said. The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks. Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments. We do not use Azure cloud services in our production environments.” ![]() “The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. “We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained. The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments. MALWAREBYTES SOLARWINDS OFFICECIMPANUZDNET PASSWORDWhile many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials. ![]() Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |