FireEye Mandiant announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the threat group that attacked IT management company SolarWinds. UNC2452 has used some sophisticated techniques to achieve its goals. In terms of moving laterally from on-premises networks to Microsoft cloud systems. FireEye says the attackers used a combination of four main techniques, including the theft of Active Directory Federation Services (AD FS) token-signing certificates for authenticating to targeted users’ accounts, creating Azure AD backdoors, obtaining credentials for high-privileged on-premises accounts synchronized with Microsoft 365, and abusing existing 365 applications to gain access to valuable data.
The new tool from Mandiant, named Azure AD Investigator, allows organizations to check their Microsoft cloud environments for evidence of an attack, and alerts security teams if it identifies artifacts that may require further review. Note that a manual review may be needed in some cases as some of the artifacts uncovered by the tool may be related to legitimate activities.
What to do?
- If you use SolarWinds or interface with systems that do use the FireEye software to identify possible compromise. FireEye and published a white paper named “Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452.
- The paper offers remediation guidance to entities hit by UNC2452, hardening guidance for those not impacted, and detection guidance that can be useful to everyone.
What can you do to when this happens to you?
- If you determine your network has been breached and/or compromised, immediately shut down and identify any malware present.
- Determine if any data has been modified or exfiltrated.
- If data has been stolen notify all parties affected including local law enforcement data crimes division and the FBI,
- Reinstate the network from a known “clean” backup
Eduard Kovacs on January 19, 2021 Security Week