And they may still be breaching federal networks, reports GCN:
“Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” according to updated guidance published Jan 6. “CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs).” SAML tokens having a 24-hour validity period or not containing multi-factor authentication details where expected are examples of these red flags.
As more about the SolarWinds Orion breach has surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government’s networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software. CISA’s new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.
“Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure,” according to the agency’s guidance. “Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner.” In cases where administrative level credentials were compromised, organizations should conduct a “full reconstruction of identity and trust services,” CISA said.