Solorigate, called “Sunburst” by other researchers, was thought to be the common method by which a widespread espionage campaign was carried out, attributed to a nation state thought to be Russia. It refers to the injection of code during the build process of SolarWinds’ Orion management software, which was used to create a tainted dynamic link library that was further used to facilitate the installation of attack software tools.
It turned out, though, that other, more common exploit tactics were used besides Solorigate, as explained by the Cybersecurity and Infrastructure Security Agency (CISA), as well as by software security firm Malwarebytes.
In a Tuesday post, Alex Weinert, director of identity security at Microsoft, seemed to affirm these notions, stating that “when we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software.” Weinert, though, didn’t offer specific details on the compromised vendor software, besides SolarWinds’ Orion. He also didn’t name the compromised vendor accounts.
Secondary Attack Stage
Microsoft’s latest Solorigate analysis mostly didn’t go into details about the initial compromise. Instead, it focused on the malware installed on systems during the secondary stage of the attack in order to establish a remote command-and-control center using the Cobalt Strike tool. The secondary malware, called “Teardrop” and “Raindrop” by security researchers, loaded Cobalt Strike and also was used to obscure the attack methods used.
The attackers customized their attacks to a great degree by renaming files with unique names, possibly so that victim knowledge-sharing wouldn’t be effective. They also removed their tools when no longer needed to cover their trail.
Microsoft’s researchers estimated that the attackers had a functional malignant Solorigate dynamic link library file built by the end of February 2020, which got distributed to SolarWinds Orion users “sometime in late March.” The attackers subsequently “removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020,” possibly because they had their targets already lined up by that time and wanted to obscure the attack.
The length of time for the APT group to carry out the attacks, estimated to have taken place from May to November, requires organizations to have access to months of historical data to carry out forensic analyses. Microsoft made that point, and didn’t shirk from recommending its own tools for the purpose.
“Modern attacks like Solorigate highlight the need for organizations to use advanced security solutions like Microsoft 365 Defender and Azure Sentinel and operate security response under an ‘assume breach’ mentality,” the announcement indicated.
Get to Zero Trust
Weinert also recommended that organizations use zero-trust methods for authenticating network traffic. The zero-trust approach “assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data,” he explained.
In that respect, Weinert touted the use of the cloud-based Azure Active Directory service as offering better protections than using on-premises federation.
“Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity,” Weinert wrote. “Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence.”
Despite that advice, Microsoft admitted in a separate announcement that “Zero Trust is still in infancy” with organizations. Per research findings, “only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap,” Microsoft’s announcement indicated.