SolarWinds Hacker Group Attacks 140 Times, Hits 14

That’s a poor batting average even for baseball. In most sports, you have to hit more often than you miss if you want to win. But that’s not how cybersecurity works. To this day, a hacker is sitting pretty if they breach one target for every hundred. Nobelium, the hacker agency many experts believe is controlled by the Russian Secret Service, is 14 for 140 this year. 

And they’re not choosing easy targets either. 

This most recent spree started last year when they successfully embedded a piece of malicious code in a software update by the company SolarWinds. That was the launchpad for one of the most viciously dangerous attacks against the United States. Government organizations, agencies, and large corporations scrambled to defend themselves.

Since then, the group has increased the pace, replicating the approach but applying it to organizations that are “integral to the global IT supply chain,” said Tom Burt, Microsoft Corporate Vice President of Customer Security and Trust in a Microsoft Blog. 

Burt claims his company has observed a systematic attack on IT resellers and other service providers that has continued since May, 2021. Microsoft has contacted 140+ would-be victims already, and believes that 14 of these have been successfully compromised. 

And yet, there is another side to this that makes the case incredibly difficult to fathom. These 140 are only part of a larger swath of attacks, constituted by a total observed — not total, observed — customers who were attacked almost 23,000 times by the group. These are brute force attacks; they rely on programmatic guesswork. Simple passwords are attempted on known account holders until the first one works.

That explains the high number of attacks. They were carried out by an algorithm (not even a very sophisticated one). However, these tactics still work to this day: a handful were successful. 

To combat this disturbing trend, Microsoft has issued recommendations designed to help IT service providers and their customers defend themselves. 

Managed Service Provider Recommendations

  1. Verify and monitor compliance with Microsoft Partner Center security requirements

The Microsoft Partner Center ensures that all partners uphold standard best practices for the security of their businesses and those of their customers. These include practices, such as: 1) Ensure that multi-factor authentication (MFA) is in use and conditional access policies are enfoced; 2) Adopt the Secure Application Model Framework; 3) Check the Activity Log in Partner Center.

Partners can do this manually or by API. 

  1. Remove delegated administrative privileges (DAP) connection when not in active use.

To help execute this advice, Microsoft has extended a free two-year subscription to Azure Active Directory Premium, which provides extended access to sign-in logs and other Zero Trust capabilities.

  1. Conduct a thorough investigation

As Microsoft believes that some targets were breached, they have recommended service providers review Azure Active Directory security operations guide for guidance. Again these are Zero Trust practices that any organization should take to ensure their network security, especially now that these attacks have been revealed.

Managed Service Provider Customer Recommendations

  1. Audit access privileges

Downstream customers are advised to audit access privileges and permissions so that they can harden all tenant administrator accounts. This includes service provider permissions access from B2B and  

  1. Use MFA
  1. Review audit logs

Active Directory is the tool of choice for reviewing logs. Use sign in logs, audit logs or Microsoft 365 compliance center. 

Don’t Let This Be Your Last Zero Trust Sweep

Whether you are an IT Service provider or a downstream customer, it is important to understand where these best practices are coming from. Due to the severity and number of cyberattacks over the last five years, organizations are coming to embrace Zero Trust practices, such as programmatic audits and MFA. These practices are not new, but they are not yet practiced  by all organizations. They are becoming increasingly important as cyberattacks and breaches become more common. 

The principal behind Zero Trust is very much like it sounds. Zero Trust implies that your network might already be compromised. As such, it is important to validate traffic on the network regularly for malicious activity, especially behaviors observed as components of cyberattacks globally. 

That is why it is so important for Microsoft and any IT provider to share this information. Now we know what tactics, techniques and procedures (TTPs) to look for as we gauge network traffic. So do you.

If you do not know how to use Active Directory to conduct audits, or how to adequately protect your valuable network, please email david@platteriver.com.

Powered by estound

© Platte River Networks - All Rights Reserved

Privacy Notice

Proud Member of the following organizations: