While the SolarWinds hack primarily targeted in-house infrastructure, the breach has morphed into a multidimensional assault on key computing infrastructure, including cloud services.
The SolarWinds supply chain attack, which was broad in scope and sophisticated in nature and execution, could affect popular cloud-based services provided by key players, including Microsoft and Amazon. This is because the SolarWinds Orion software, widely used for network monitoring, could be deployed in cloud environments.
Under such conditions, it might have privileged access to AWS and Microsoft Azure API keys, Identity and Access Management (IAM) services, and other security credentials.
Similarly, compromised Orion software running on in-house environments allows attackers to authenticate against cloud platforms by manipulating the Security Assertion Markup Language (SAML) to create access tokens.
Hackers targeting cloud platforms and services
Details from the NSA and Microsoft show that the suspected Russian hackers behind the SolarWinds hack were targeting cloud services such as Office 365.
Additionally, Reuters’ reporting claimed that hackers had compromised cloud services on National Telecommunications and Information Administration’s Microsoft Office 365 account and monitored staff emails for months.
Similarly, a recent report by Microsoft also revealed that the attackers tried to read CrowdStrike’s emails through a compromised reseller’s Microsoft Azure account.
SolarWinds hack threatens cloud services in myriad ways
SolarWinds hack attributed to suspected Russian hackers threatens various cloud infrastructure such as AWS and Microsoft Azure in several ways.
Firstly, Orion databases store AWS and Azure cloud platforms’ API keys alongside other security credentials. Attackers could later access the stored security identifications to compromise other cloud services.
Similarly, SolarWinds Orion software deployed on AWS or Azure cloud platforms has access to root API keys. These privileges grant an attacker full admin access to the cloud services running on the platform.
Orion software also requires access to Identity and Access Management (IAM) services. Consequently, running Orion software injected with malicious code compromises the whole Orion IAM identity services on the cloud environment. Attackers could exploit the IAM to expose resources and networks and perform role chaining to escalate access privileges.
A resource-based policy allows any principal in the account to access the resource without identity-based permissions in the AWS platform. Consequently, Orion IAM identity could gain access to resources, leading to resource exposure.
Similarly, if a cloud service’s trust policy allows various identities to assume a role, the role could be adopted by any trusted identity residing within the cloud account. This leads to role chaining, which attackers could use to escalate privileges on the cloud platform.
Orion software with permissions to list EC2 instances through the IAM identity manager could also allow an attacker to restart internet-exposed EC2 instances. The attackers behind the SolarWinds hack could escalate privileges on such instances to perform more privileged actions.
Additionally, some stopped instances have EC2FullAccess permissions and were only used for testing before they were shut down. The ability to restart them gives the attackers accused of the SolarWinds hack more access to cloud infrastructure resources leading to network exposure.
Mitigating security risks associated with the SolarWinds hack on cloud services
A SolarWinds customer running Orion software on cloud platforms should consider their cloud APIs compromised. Consequently, they should regenerate new access keys, alongside other security credentials stored in the Orion databases.
Since it’s difficult to list all the credentials in an Orion database, IT security staff could use SolarFlare to enumerate the stored credentials. SolarFlare is a cloud security tool developed by the cloud security researcher Rob Fuller.
Cloud platform operators should adopt the “least privilege” strategy to address resource exposure, role chaining, network exposure, and API root key access risks.
Similarly, installing Orion software on a standalone account reduces the risk posed on other company’s cloud services.
Since SolarWinds’ Orion software requires access to an IAM identity, it poses risks to the host cloud infrastructure. Reviewing the permissions granted to Orion software in the IAM identity manager could reduce the risks of a possible IAM compromise.
Microsoft’s blog post also provided detailed information for incidence response teams in the case of a SolarWinds hack.
Cloud services offer an additional attack vector for the hackers to gain more victims, whose number is rising. Confirmed SolarWinds’ breach victims include government agencies, private companies, and critical infrastructure entities, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.