U.S. federal government cybersecurity agencies issued an advisory that threat actors exploited “non-SolarWinds products” in gaining access to targets’ computer systems during the SolarWinds attack. The advisory said that hackers used the trojanized SolarWinds Orion app in gaining initial access to the local networks and then exploiting a VMWare vulnerability (CVE-2020-4006) to perform federated login through Microsoft Active Directory Federation Services (ADFS).
The SolarWinds hack was associated with several cyber attacks affecting major companies including FireEye and various federal agencies. VMWare released an update on Dec 3, to seal the security loophole after learning of the vulnerability through the NSA.
Vulnerable VMWare products exploited in the SolarWinds hack
According to the NSA Dec 7 advisory, “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”
The NSA noted that to complete federated login, the threat actors had to access the vulnerable VMware device’s management interface. Therefore, they must be present on the target’s internal network if the VMWare’s vulnerable interfaces were not exposed to the Internet.
However, SolarWinds trojanized Orion software granted the attackers an easy method of infiltrating the target’s local network. The attackers could then access VMWare products to complete federated login by generating authentication tokens against the ADFS.
VMWare told KrebsOnSecurity that it had received no notification or signs that threat actors combined CVE 2020-4006 vulnerability with the SolarWinds Orion software to execute the SolarWinds hack.
In a statement, VMWare said that “while we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation.”
SAML certificate used to generate authentication tokens for federated login
DHS’s CISA alert on Dec. 17 noted that threat actors were using additional attack vectors apart from the SolarWinds hack. CISA noted that threat actors performed federated login “by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges.”
The hackers created unauthenticated but valid tokens and presented them to environments that trust SAML tokens from the source environments. Using the tokens, the attackers could complete federated login, access cloud resources such as Microsoft Office 365, and exfiltrate data through APIs.
The Dec 7 advisory said that the NSA had identified hacking activity involving VMware’s vulnerability leading to the “installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS).” The ADFS then granted the attackers full access to sensitive information.
In the Dec 17 advisory, the NSA said that the SAML tokens used for federated login against Microsoft’s ADFS during the SolarWinds hack were possibly generated using VMWare’s vulnerable software.
The advisory added that the attackers successfully bypassed multi-factor authentication (MFA) protecting the targeted systems. Additionally, they impersonated and attacked key cybersecurity personnel such as incident response staff and email accounts staff.
Advice from NSA for affected companies
NSA advised companies affected by the SolarWinds hack to consider their email accounts, internal networks, and identity trust stores as compromised. Consequently, they should use different channels to discuss ways of cleaning their network.
The advisory recommended a “full reconstitution of identity and trust services” to successfully remediate the effects of the SolarWinds hack if companies’ identity stores were fully compromised. Noting that the threat actor was highly skillful, the advisory recommended a “full rebuild of the environment.”
CISA also advised government agencies and contractors to patch their systems to prevent Russian government state-sponsored threat actors from accessing core government systems.