As details of the recent SolarWinds supply chain attack continue to surface, we’re beginning to understand just how far these motivated attackers went to avoid attention and detection. What’s clear is that privileged access was key to gaining, and maintaining, persistence in their victims’ networks.
Advanced Persistent Threats Require Privileges to Remain Under the Radar
To initiate the attack chain, the SolarWinds attackers reportedly planted backdoor code, then delivered it to SolarWinds Orion users via a Trojanized software version update. By building in an intentional “dormant period” of up to 14 days, the attackers were able to cover their tracks, making it difficult for victim organizations to correlate their actions with other malicious activity. From there, the malicious code began searching for tools and processes within the environment that could either raise red flags (such as advanced threat monitoring capabilities) or open doors (such as security solutions that could be tampered with or disabled).
From there, the attackers used a variety of credential-harvesting methods to steal identities and credentials from authorized users, then searched for privileged account credentials to unlock access to systems, infrastructure and software. They escalated these privileges to reach higher value targets such as Windows servers until they reached their end goal. In many attack sequences, this “ultimate target” is the Domain Controller – the central authority of trust within Windows environments.
But perhaps the SolarWinds attackers’ stealthiest move was the “Golden SAML” – an Active Directory Federation Services (ADFS) bypass technique first identified by CyberArk Labs in 2017 but never seen in the wild until this attack. After gaining privileged access to a victim’s network, the attackers stole a SAML token signing certificate, allowing them to forge a valid SAML token and bypass MFA completely to gain unauthorized access to both the victim’s on-premises and cloud assets. The attackers likely understood that SAML token signing certificates are almost never changed, meaning they could persist in the network, undetected, for long periods of time.
Secure Your Windows Environments with Privileged Access Management
Even the strongest, most sophisticated defenses are not always enough to stave off highly targeted attacks, so it’s necessary to “assume breach” and take steps to protect high-value assets, detect threats earlier and reduce risk. Doing this effectively requires multiple layers of security, such as endpoint protection, detection and response technology and strong privileged access management, and often happens in phases.
Given the quantity of Windows desktops, laptops, servers and virtual machines (VMs) deployed today, securing your Windows environment may be a natural place to start. Here’s how:
1. Take inventory of your local admin accounts. In theory, privileges are limited to user roles within the business. For example, a database admin (DBA) is granted privileges to log onto a Windows server to control and manage the SQL – and that’s it. Or, a designated Windows server is permitted to only run a specific web-server application – and nothing else. But in reality, it’s common for Windows admins to grant local admin privileges to human and machine users in the name of convenience. This can spiral out of control quickly, making it difficult to trace who or what has access to which systems, when and for what reason. As new machines are rapidly deployed in virtual environments, manually tracking every local admin account becomes virtually impossible. Take advantage of tools that help you automate this inventory process and make it manageable.
2. Stop sharing local admin accounts. These powerful accounts are used by IT staff to perform maintenance on workstations, servers, databases and more. Often, the same privileged account credentials are shared by multiple admins across an entire platform or organization – making them an easy target. With local admin rights, malicious insiders or external attackers can access additional privileged credentials, traverse the network and take over Windows workstations, servers, macOS machines and other critical infrastructure. Strong privileged access controls like randomizing, regularly rotating and carefully managing these “all-access passes” are a must.
3. Better yet – get rid of your local admin accounts altogether. Removing local admin rights from Windows servers and machines can dramatically reduce the risk of credential theft and ransomware infection – but it has to be done without hindering user productivity or complicating operations. A balanced approach enforces consistent least privilege policies and automates temporary privileged access elevation when end-users need it to perform required tasks. Also consider implementing just-in-time access so admins can log onto systems when needed, and for specific periods of time.
4. Identify all types of admin accounts and limit usage. Restricting access shouldn’t end with your local admin accounts. Other privileged admin accounts such as service accounts, application accounts and privileged data user accounts must be identified, secured and managed to maximize risk reduction.
5. Keep your software current. Regularly applying software patches on servers and machines is integral to a defense-in-depth strategy, as are routine updates to server control panels, content management systems and plug-ins. Also remove or turn off unnecessary services – the fewer things you have running on a system, the better.
Mitigate the Risk of Targeted Attacks with New CyberArk Features
CyberArk offers a comprehensive set of security capabilities to protect privileged access to Windows servers and machines both on-premises and in the cloud. To help organizations address existing weaknesses in their environment and protect against future attacks, we’ve introduced two new CyberArk Endpoint Privilege Manager features, which are now available as part of our 30-day free trial:
Credential theft detection and blocking for SolarWinds Orion users. Automatically detect and block attempts to harvest and steal credentials cached by the SolarWinds Orion application that can be used to access cloud services like AWS and Azure or enable remote access to corporate systems. This can help SolarWinds Orion customers to prevent attackers from gaining a foothold for lateral movement.
Duo Integration “Secrets Dump.” Multi-factor authentication (MFA) tools – like all software – need credentials in order to protect the application from unauthorized access. As such, all MFA requires credential protection. Our first policy addresses Duo MFA, which is widely used by administrators and users alike and integrates with popular applications such as Windows device logins and Outlook on the web (OWA). As the Golden SAML technique takes hold, other threat actors may try to steal a credential, aka secret key, stored within the Duo application and abuse it to bypass MFA. With this new rule, organizations can automatically protect against such Duo secret key theft and MFA tampering.
Don’t wait until the aftermath of a targeted attack to shut down the privileged pathway in your Windows environments. Follow these best practices to reduce your risk and regain control – and remember, we’re here to help.