SolarWinds Hackers Exploited Weak Access Policies to Infiltrate the Network
SolarWinds hackers likely exploited service accounts to move laterally within the network to access company resources.
Service accounts used by SolarWinds allowed attackers to move laterally within the network to access enterprise resources, according to Israeli cybersecurity firm Silverfort which says service accounts are a vulnerable and sensitive attack surface that must be protected.
Service accounts may have played a bigger role than originally anticipated in the SolarWinds hack that compromised the networks of a number of U.S. government agencies and private organisations. According to Israeli cybersecurity firm Silverfort, attackers may have used SolarWinds’ service accounts with high-level privileges to conduct lateral movement across the SolarWinds network and thereby gain access to more enterprise resources.
In December, it came to light that a hacker group trojanized a couple of software updates of the Orion IT monitoring software to infiltrate the IT networks of organizations that downloaded these updates. Orion was marketed by U.S. technology giant SolarWinds as an advanced software solution for organizations to monitor and manage their IT infrastructures that are complex and geographically dispersed. As many as 33,000 organizations worldwide used the Orion platform when the hacking took place, including several U.S. government agencies such as the Pentagon.
The hacking of the Orion platform was allegedly perpetrated by a state-sponsored Russian actor known as APT29, also known as Cozy Bear. According to CrowdStrike, APT29 is the same group that compromised the Democratic National Committee’s email servers in 2016.
The months-long attack on SolarWinds, which began in March last year but was discovered in December, affected around 18,000 organizations worldwide that downloaded the infected updates to the Orion platform.
Security researchers at Silverfort said that hackers behind the cyberattack on SolarWinds could have exploited service accounts used by the company to move laterally within the network, something that hackers often do by exploiting various vulnerabilities associated with service accounts.
According to the researchers, movement across an organizational network through in-house service accounts becomes a risky proposition with improperly defined access policies, especially when a service account is externally exposed.
Noting that three service accounts used by SolarWinds, namely RPCSS scanner, General Scanner, and LDAP Scanner, which leverage Kerberos, NTLM & Kerberos, and LDAP authentication protocols respectively, have a medium to high predictability, the researchers said that if all these accounts stick to respective protocols for authentication across a limited set of resources, it eliminates the risk of illicit network access.
“This should be viewed as a wake up call for IT security teams that they need to monitor service account activity for anomalies and restrict access to any resources or assets that aren’t part of the day-to-day workflows,” said Lead Data Scientist at Silverfort Gal Sadeh to Toolbox. “However, discovery of service accounts in large enterprise environments is complex and enforcement of proactive access policies based on anomalies is not natively supported in Active Directory environments.”
See Also: What Tech Leaders Can Learn From the SolarWinds Trojan Horse Attack
Granular visibility into access controls for these accounts can be achieved by searching for them in Active Directory to uncover their assigned access policy permissions. The attackers specifically leveraged Cobalt Strike to assess the system and network security, and DSInternals for querying Active Directory servers and data retrieval (passwords, keys, or password hashes of service accounts), Silverfort said.
According to Sadeh, continuous enforcement of least privilege access for service accounts is a good way to keep infiltrators at bay. However, the discovery of all service accounts in a given environment is not a trivial task and there is no easy way to discover them since they look like regular user accounts. Sometimes the account name may indicate that it’s a service account, but not always. This is exactly why enforcing least privilege is so important.
And even if an organization utilizes a combination of both on-premise and cloud environments, there needs to be a uniform identity, access and privilege management policy in place. “The ability to monitor and manage authentication for both cloud and on-prem resources in a single identity protection platform eliminates blind spots that are commonplace when organizations maintain separate identity and security silos,” adds Sadeh.
When it comes to identity protection, organizations should ensure that all service accounts associated with SolarWinds are known and monitored for unexpected activity. In addition, a security policy that whitelists each service account’s normal authentication activity, and blocks all other attempts to access enterprise assets or resources, should be implemented and enforced, the firm said in conclusion.
Best Practices for Protecting Service Accounts
Silverfort suggests mapping normal or standard activity and monitor for anomalies since malice generally elicits deviation from what is considered normalized behavior.
- Discovery: Create and maintain a list of all service accounts in the organizational network environment, with special care to those involved in any third party service providers.
- Baseline: Establish the basics with a solid authentication protocol and the time intervals it runs on, for only those assets a specific service account requires.
- Protection: Based on the acquired knowledge, define access provisions through identity and access management systems in use by the organization.
Let us know if you liked this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
