The Department of Homeland Security said the SolarWinds hackers have given themselves top administrative privileges to spy on victims without being detected

The Advisor Published Friday by the Department of Homeland Security represents the agency’s most detailed explanation yet of how attackers were able to monitor high-value intelligence targets that had gone undiscovered for months.

It also reveals that investigators are increasingly focusing on attackers using Microsoft products to hide in sight.

The alert does not address the data that hackers may have access to or the extent of the breach, and is limited to describing the attack patterns themselves. a Joint statement Intelligence officials said on Tuesday that “fewer than ten agencies” appeared to have been specifically targeted for espionage.
Since then, the federal judiciary said It is verifying A potential compromise for the electronic case management system and the Ministry of Justice I acknowledge That up to 3 percent of his Microsoft email accounts were accessed.

Cybersecurity experts and US officials said weeks ago that the attackers may have misused credentials and impersonated legitimate users for the spying campaign.

Now the Department of National Security’s Cybersecurity and Infrastructure Security Agency has confirmed this, describing step-by-step how the attackers concealed their tracks.

First, the attackers gained initial access to the victim by taking advantage of a previously disclosed SolarWinds vulnerability or through other methods, such as guessing the password, which CISA said it was still investigating.

Next, the attackers sought to impersonate one or more real users in order to gain access to the enterprise’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory.

Security experts have described services such as Azure Active Directory as carrying “the keys of the kingdom” because for many organizations, it is the software used to create and manage network accounts, passwords, and privileges.

READ  Le preoccupazioni per la crescita globale dominano il sentimento

Once the attackers gained access to the organization’s identity provider, CISA said, they were able to set up permissions for themselves to surreptitiously access other programs and applications.

Robert M. Lee, CEO of cybersecurity firm Dragos, said attacks on a platform like Active Directory can be extremely powerful.

“It is a system that connects all the other systems,” he said in a recent interview.

Cedric Layton, a former National Security Agency official and military analyst, told CNN that the report showed the sophistication of the attackers.

“This is the latest key to understanding the SolarWinds hack,” Layton said. “The fact that credentials were compromised – including multi-factor identity authentication systems – shows how widespread this attack actually is. References to lateral traffic show that they moved across networks to compromise more data than was originally thought. Acknowledgment that the potential compromise of our systems goes far beyond what was originally thought. Originally reported. This is a very big problem. “

Zachary Cohen contributed to this story.

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *