We reported yesterday on allegations that Microsoft’s Microsoft 365 platform was abused by hackers to spy on the U.S. Treasury Department.

Microsoft has responded by posting a guide for admins “to find and mitigate potential malicious activity”.

They, however, denied that Microsoft’s cloud was compromised, saying:

We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations.

They, however, confirmed that “nation-state activity at significant scale, aimed at both the government and private sector” was taking place, and warned security staff to look out for the following signs:

  • An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Also, see SolarWinds Security Advisory.
  • An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token- signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
  • Anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.
  • Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.

Microsoft noted that these elements aren’t present in every attack, but urged admins to read their full customer guidance on the recent nation-state cyberattacks here.

Comments