Cybersecurity firm FireEye has released today a report detailing the techniques used by the SolarWinds hackers inside the networks of companies they breached.
Together with the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks.
Also: Best VPNs • Best security keys
Today's FireEye report comes as the security firm has spearheaded investigations into the SolarWinds supply chain compromise, together with Microsoft and CrowdStrike.
The SolarWinds hack came to light on December 13, 2020, when FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.
The malware, known as Sunburst (or Solorigate), was used to gather info on infected companies. Most of the 18,000 SolarWinds customers who installed a trojanized version of the Orion app were ignored, but for some selected targets, the hackers deployed a second strain of malware known as Teardrop and then used several techniques to escalate access inside the local network and to the company's cloud resources, with a special focus on breaching Microsoft 365 infrastructure.
In its 35-page report today, FireEye has detailed in great detail and depth these post initial compromise techniques, along with detection, remediation, and hardening strategies that companies can apply.
Summarized, they are as follows:
"While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible," FireEye said today.
In fact, it was FireEye's ability to detect these techniques inside its own network that led to the company investigating an internal breach and then discovering the broader SolarWinds incident.
Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT).