CrowdStrike Exec Highlights “Structural Issues” With Active Directory During Senate Solorigate Hearing – Redmondmag.com

News

CrowdStrike Exec Highlights “Structural Problems” With Active Directory During Senate Solorigat Hearing

In particular, Microsoft’s Active Directory authentication solution was compromised during a February 23 US Senate hearing on the SolarWinds Orion software hack.

The Senate Select Committee on Intelligence hearing focused on how a software implant and other methods went undetected, enabling a spying campaign that hit nine federal agencies and 100 businesses, according to a White House estimate. The hearing included testimony from four software company chiefs, who also answered questions from senators about the attack.

A common theme associated with the comments was whether software security vulnerabilities should be legally mandatory for organizations.

A video recording of the hearing is available on request at this page.

Amazon was a No-Show
Executives present at the hearing included Kevin Mandia, CEO of FireEye; Sudhakar Ramakrishna, CEO of SolarWinds; Brad Smith, President of Microsoft; and George Kurtz, President and CEO of CrowdStrike.

Notably absent from the hearing was a representative from Amazon Web Services (AWS). Amazon had been invited but declined to attend the hearing, a fact that was deplored by most senators in their opening comments.

The discussions included a mention that US-based servers had been used to mask the sophisticated attacks, which are presumed to come from a nation-state actor. US officials have alleged that Russia was involved, although local officials have denied it.

During the hearing, no one specifically said that servers hosted by AWS services were used in the Solorigate attacks, although that may have been why the Senate panel invited Amazon.

SolarWinds Orion Not Sole Attack Avenue
SolarWinds’ Orion management software was the subject of a supply chain attack in which code was inserted during the build of the software to establish a point of compromise for espionage purposes, targeting usually courier services. The attack, which hit government agencies and software vendors, was first detected in December, but had a gestation period of several months before that.

Initial reports had just pointed to the SolarWinds Orion software compromise as the security issue that had been exploited. However, the attackers used several other methods, including password spraying methods to guess passwords and obtain credentials. They also exploited old software with too many permissions and Active Directory Federation Services (ADFS), a Windows Server role, to gain access privileges to Microsoft 365 email services. These other attack methods were noted in January by the US Cybersecurity and Infrastructure Security Agency (CISA).

Microsoft also acknowledged that the ADFS used on the local infrastructure of Solorigate victims was exploited in the attacks. He recommended using his Azure AD service instead. Microsoft’s implication, however, appeared to be that the compromised organizations had just misconfigured ADFS, rather than that ADFS had inherent security issues.

Active Directory ‘Architectural Limitations’
However, Kurtz’s comments from CrowdStrike (PDF download) were more pointed. He characterized ADFS as having “architectural limitations” that were exploited in a “Golden SAML attack” as part of Solorigate’s efforts (also known as the “Stellar Particle campaign”):

Significantly, one of the most sophisticated aspects of the StellarParticle campaign was the skill with which the threat actor took advantage of the architectural limitations of the Active Directory Federation Service identification and authentication process. Microsoft. The Golden SAML attack exploited by StellarParticle actors allowed them to move from customer on-premises environments to their cloud and cloud applications, effectively bypassing multi-factor authentication.

Kurtz added that architectural flaws in Microsoft’s authentication solutions ensure that further breaches will occur. These flaws will allow attackers to “impersonate most people on a network, gain the necessary permissions to perform actions on the network, bypass multi-factor authentication entirely, and, just as devastating as that sounds, to be able to log in as a compromised user, regardless of how many times that user resets their password,” he explained.

Microsoft should “address authentication architecture limitations around Active Directory and Azure Active Directory, or move to a different methodology entirely,” Kurtz added. Alternatively, “a more community-driven approach to authentication” should be taken.

CrowdStrike became involved in Solorigate’s investigations because it was approached by SolarWinds. However, CrowdStrike had also been indirectly targeted. This happened through a “third-party computer reseller that handled Microsoft licensing,” Kurtz explained.

“The incident involved anomalous activity on the Microsoft Azure account that the reseller uses to validate Microsoft customer licenses through the API with Microsoft,” he said.

CrowdStrike was unharmed by this attack location. However, Kurtz noted that many businesses and government agencies routinely rely on these vendors, making it an important issue to consider.

Microsoft Testimonial
Microsoft’s Smith called for wide sharing of information about security vulnerabilities and explained that Microsoft was first alerted to the attacks by FireEye. He explained that “all of the attacks” identified by Microsoft started on servers in organizations, which limited Microsoft’s detections.

“And yet, we only have line-of-sight into the attack when it then moved to the cloud,” Smith said, according to testimony (PDF download). “As a result, customers who have not yet migrated to the cloud are more likely to be ongoing, undiscovered victims.”

The hearing involved discussions between senators and executives. Consequently, Smith did not respond directly to Kurtz’s claims of alleged structural problems with Active Directory. He suggested, however, that using forged SAML tokens was just one of the approaches used by attackers.

“It turns out, however, that the SAML token generation approach was only used by Russian attackers 15% of the time among the victims we identified,” Smith said, according to his testimony. “In the remaining 85% of cases, the Russians used various other methods to obtain the credentials they needed to access O365 from an on-premises network.”

In general, Smith advocated for “zero trust” network principles, closer collaboration between government and industry, and mandatory sharing of information about security breaches in his Senate testimony.

Smith offered a more nationalist view in a Microsoft blog post from February 23, where he suggested that the lessons of Solorigate were such that “the Pentagon needs to move faster to use, secure, and adapt commercial advances to military applications.”

Other views
The testimony from other Senate panelists was also interesting, especially Mandia’s comments (PDF download). In his verbal comments, he said around 17,000 businesses may have been compromised. He noted that attackers were able to use the software implant in SolarWinds’ Orion product to disable security software and avoid detection. He also speculated that in addition to his other tools, the attackers likely had zero-day software exploits.

Ramakrishna had been hired at SolarWinds after the attacks were detected in December. He had little to say in his testimony (PDF download). However, he noted that the supply chain attack code (which he called “Sunspot”) was added to the Orion product between March 2020 and June 2020. He characterized code such as Sunspot as posing a big risk for more supply chain. attacks in the future.

“We believe that the entire software industry should be concerned about the nation-state attack, as the methodologies and approaches used by the threat actor(s) can be replicated to impact any company’s software and hardware products, and these are not SolarWinds-specific vulnerabilities,” Ramakrishna said in his testimony.

About the Author

Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.


Source link

Comments are closed.