SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

In December, the disclosure of the supply chain attack against SolarWinds sent shockwaves throughout federal agencies responsible for the security of US information assets. The ripple effect hit the IT community as well. Those ripples have continued into 2021, as what was already seen as a sophisticated attack on the IT supply chain has taken additional twists. New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD).

Compromising the SolarWinds build environment and sending Trojanized versions of updates for the Orion Platform is the best-known tactic believed to have been used by the threat group behind the attacks. According to the Cybersecurity and Infrastructure Security Agency (CISA), the threat actor was observed compromising or bypassing federated identity solutions and leveraging forged authentication tokens to move laterally to Microsoft cloud environments. From there, the threat actor used privileged access in the victims’ cloud environments to establish persistence mechanisms for Application Programming Interface (API)-based connections that were difficult to detect.

But in some cases, instead of using the highly sophisticated SolarWinds Orion compromise, attackers used tried and true methods to compromise their victims: password guessing, password spraying and exploiting poorly secured administrative or service credentials. They then used native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the certificate-signing capability of Microsoft Active Directory Federated Services (AD FS) and forge authentication tokens.

The SolarWinds attack campaign serves as a warning that on-premises identity resources will increasingly be used as a stepping stone to access cloud environments. Defenders tend to focus on the most sophisticated techniques, but generally, attackers are simply looking for the easiest way in. This type of vertical movement used attack paths that are all too familiar. Even in the most sophisticated security incidents, weak passwords and unsecured administrative credentials are regularly exploited. In the case of the SolarWinds hack, once inside, the attackers were able to execute the classic attack kill chain: local privilege elevation, reconnaissance, horizontal movement and escalation.

All these steps could have been disrupted by applying best security practices. While the fallout from this attack campaign has come to symbolize the scope of the threat landscape that government agencies and global businesses face, it is also a stark reminder of the importance of practicing good security hygiene. From smart password policies to AD monitoring, organizations need to raise the bar of entry for threat actors. A Microsoft blog post recommends taking the following actions to harden Azure AD against attacks, which some have dubbed “Solorigate.”

  • Do not allow users to grant consent to unmanaged applications
  • Enable password hash synchronization if hybrid
  • Enable policy to block legacy authentication
  • Enable self-service password reset
  • Ensure all users can complete multi-factor authentication for secure access
  • Require multi-factor authentication for administrative roles
  • Turn on sign-in risk policy
  • Turn on user risk policy
  • Use limited administrative roles
  • Deploy Azure AD Password Protection on-premises to eliminate common passwords in AD

CISA has also updated its guidance to 'Mitigate SolarWinds Orion Code Compromise,' listing actions that organizations can take to detect possible compromises. These precautions include using SAML single sign-on to search for any logins to service providers that do not have corresponding authentication events in AD FS and domain controllers and reviewing any certificate export events in AD FS.

If an attacker can circumvent authentication controls and obtain administrator access to AD, it will take total visibility of the AD environment – both on-premises and in the cloud – to detect and respond to them. In the unforgiving reality of state-sponsored threat actors and advanced persistent threat groups, continuous monitoring of AD for unauthorized behaviors is a key component of preventing, detecting and stopping malicious activity in its tracks. Other ways to reduce risk to the service include regularly scanning AD for weak configurations that attackers can exploit, reviewing account permissions, using complex passwords, applying the principle of least privilege to granting rights in AD and deploying security updates as soon as possible.

Organizations should also consider using Azure’s own security features. For example, most of the organizations targeted in the attacks likely have large, hybrid architectures. They use Microsoft 365, and in all likelihood, a premium version of Azure AD. This version of Azure AD comes with Azure AD Password Protection, a hybrid service that protects an organization’s on-premises AD from common passwords. If the password protection service was being used, the victimized organizations would have been far less susceptible to password stuffing and password spray attacks.

As long as password spraying, guessing and other less technical approaches work, they will continue to be common elements of attackers’ arsenals. But with a layered approach to security that is built on best practices, even the most complex attacks can be mitigated through effective security controls.

What’s Hot on Infosecurity Magazine?