Guidance on Solorigate

In the wake of the recent cyberattack known as Solorigate, many organizations are scrambling to secure their systems. Since these kinds of attacks span multiple domains, having visibility into the entire scope is key to stopping and preventing its spread. This can be a daunting task for many, and OFFSITE is here to help your organization:

  • Identify compromised devices
  • Investigate related alerts and incidents
  • Hunt for related attacker activity
  • Continued monitoring and maintenance of your environment
  • Provide 24/7 support
OFFSITE - How to protect your business from a Solarigate like ransomeware attack

What is Solorigate?

The Solorigate attack is an example of a modern cross-domain compromise. Since these kinds of attacks span multiple domains, having visibility into the entire scope of the attack is key to stopping and preventing its spread.

This attack features a sophisticated technique involving a software supply chain compromise that allowed attackers to introduce malicious code into signed binaries on the SolarWinds Orion Platform, a popular IT management software. The compromised application grants attackers “free” and easy deployment across a wide range of organizations who use and regularly update the application, with little risk of detection because the signed application and binaries are common and are considered trusted. With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected). Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources through the following steps:

  1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
  2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
    1. Stealing the SAML signing certificate (Path 1)
    2. Adding to or modifying existing federation trust (Path 2)
  3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

Should Your Company Be Concerned?

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected. The deeply integrated cross-domain security capabilities in Microsoft 365 Defender can empower organizations and their security operations (SOC) teams to uncover this attack, scope out the end-to-end breach from endpoint to the cloud, and take action to block and remediate it. This blog will offer step-by-step guidance to do this by outlining:

  • How indicators of attack show up across endpoints, identity, and the cloud
  • How Microsoft 365 Defender automatically combines alerts across these different domains into a comprehensive end-to-end story
  • How to leverage the powerful toolset available for deep investigation, hunting, and response to enable SOCs to battle the attackers and evict these attackers from both on-premises and cloud environments

The below article, from the MS Defender team, provides an in-depth look at the threat from the recent Solorigate attack.

Contact OFFSITE for Cyber Security Support

OFFSITE is a Microsoft Silver Partner and has a team of engineers working around the clock to provide support to our clients.
If you’d like guidance from OFFSITE’s Network Operations Center, email or call (262) 564-6500.