According to CrowdStrike, the threat actors behind the SolarWinds supply chain attacks actively targeted firms throughout the year 2021 and employed two novel approaches to gain access to their victims’ data.
A blog post from the cybersecurity vendor on Thursday detailed the most recent information about what it dubbed the “StellarParticle” campaign, which relates cyberespionage activity from the state-sponsored threat group Cozy Bear — the same group that breached SolarWinds in 2020 — and detailed the latest information about the campaign. According to CrowdStrike, the SolarWinds hackers continued to operate in 2021, employing both well-known tactics and novel techniques.
The site went into the strategies that allowed the actors to “remain undiscovered for months — and in some cases, years” before being discovered. There were two innovative approaches featured in the campaign, both of which had an impact on a large number of organizations: browser cookie theft and manipulation of Microsoft Service Principals.
Following an investigation into StellarParticle-related investigations, the security firm discovered that the threat actors possessed an extensive understanding of the Windows and Linux operating systems, as well as Microsoft Azure, Office 365, and Active Directory. The research team at CrowdStrike also discovered that the vast majority of adversary actions identified in the investigations stemmed from hacking into a victim’s Office 365 system.
That prompted a slew of queries, which eventually led to the discovery of credential hopping, “in which the threat actor used various credentials for each step while traveling laterally through the victim’s network,” according to the researchers. According to CrowdStrike, this is not necessarily a method unique to this campaign, but it “indicates a more advanced threat actor and may go undiscovered by a victim,” the company said.
Techniques that are brand new
It was unclear how the threat actor avoided the multifactor authentication (MFA) protocols, which CrowdStrike stated it had enabled for every O365 user account at each target organization it studied, although credential hopping is not new.
Although many organizations have embraced multi-factor authentication (MFA) to boost account security, this StellarParticle campaign highlights its flaws, as well as the possibility of hackers getting administrative access. Threat actors were able to circumvent multi-factor authentication (MFA), even though it was required to access cloud services from all locations, including on-premise, by stealing Chrome browser cookies. This was accomplished by logging into other users’ PCs using the Server Message Block protocol, which hackers already had access to, and then copying their Chrome browser data.
A “Cookie Editor” Chrome extension, which the threat actor placed on victim devices and then uninstalled after use, was then used to add the cookies to a newly created session, according to the blog.
Even changing the passwords did not help to resolve the situation. Even though the business had completed an enterprise-wide password reset, CrowdStrike reported that in some situations, the “threat actor was able to swiftly return to the environment and essentially pick up where they left off.” Administration users in some of those cases have reset their passwords using a previously used password, which is not normally permitted by the system. Normally, Active Directory (AD), according to CrowdStrike, requires users to submit a password that is distinct from the previous five passwords.
According to the blog, “Unfortunately, this check only applies when a user is changing their password via the “password change” method — however, if a “password reset” is performed (which involves changing the password without knowing the previous password), this check is bypassed for an administrative user or a Windows account that has Reset Password permission on a user’s account object,” the blog stated.
The second unique technique described in the blog brought the danger of hackers gaining administrative power to the forefront once more. In this particular instance, the SolarWinds hackers were successful in gaining access to and control over vital programs, including Active Directory. This was accomplished by the manipulation of Microsoft service principles and the hijacking of applications. Once they had obtained administrator privileges, the threat actors were able to build their service principals on either Windows or Azure. According to the blog, the new service principals were given administrative rights within the corporation.
A credential was added to this Service Principal by the threat actor, allowing them to access the Service Principal directly without the need for an O365 user account, according to the blog post.
Even though the SolarWinds hackers already had access to Office 365 through a compromised admin account, they created a Service Principal for O365 because it can be used as another form of persistence and reconnaissance for reading email, according to CrowdStrike, which spoke with SearchSecurity. Another example of how it was put to use was offered in the blog post. Actors took advantage of the mail. read service principle, which gave them the ability to read emails from a variety of different users within the company’s network.
Although the critical access gained by SolarWinds hackers during the StellarParticle attacks was concerning, CrowdStrike reported that the hackers’ stay time was even more concerning, spanning years.
In one case, CrowdStrike discovered many incidents of domain credential theft that occurred over months, each time using a different credential theft strategy, according to the blog.
In addition, CrowdStrike stated that the threat actors have targeted corporate wikis in several attacks. “Through a series of StellarParticle investigations, CrowdStrike found a unique reconnaissance activity done by the threat actor: access to victims’ internal knowledge repositories,” according to a blog post published by the company. “Wikis are widely utilized across industries to encourage information sharing and serve as a source of reference for a wide range of topics,” says the author.
While the SolarWinds hackers were able to circumvent multi-factor authentication in several instances, CrowdStrike recommended that enterprises activate multi-factor authentication for wikis and internal information repositories. It was also recommended by the cybersecurity company that enterprises enable extensive, centralized logging and keep the logs on hand for at least 180 days.