Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

FireEye Releases New Open Source Tool in Response to SolarWinds Hack

FireEye Mandiant on Tuesday announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the name currently assigned by the cybersecurity firm to the threat group that attacked IT management company SolarWinds.

FireEye Mandiant on Tuesday announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the name currently assigned by the cybersecurity firm to the threat group that attacked IT management company SolarWinds.

The SolarWinds supply chain attack has made hundreds of victims, and potentially impacted entities should check their systems for signs of an intrusion associated with this attack. On the other hand, it’s also important that organizations not impacted by the incident acquire the skills and resources needed to detect and neutralize these types of threats in case they are targeted in the future, particularly since other threat actors are expected to get inspiration from the playbook of UNC2452 for their future operations.

UNC2452 has used some sophisticated techniques to achieve its goals. In terms of moving laterally from on-premises networks to Microsoft cloud systems, FireEye says the attackers used a combination of four main techniques, including the theft of Active Directory Federation Services (AD FS) token-signing certificates for authenticating to targeted users’ accounts, creating Azure AD backdoors, obtaining credentials for high-privileged on-premises accounts synchronized with Microsoft 365, and abusing existing 365 applications to gain access to valuable data.

The new tool from Mandiant, named Azure AD Investigator, allows organizations to check their Microsoft cloud environments for evidence of an attack, and alerts security teams if it identifies artifacts that may require further review.

FireEye has highlighted that a manual review may be needed in some cases as some of the artifacts uncovered by the tool may be related to legitimate activities.

“The purpose of this resource is to empower organizations with the specific methodologies that our Mandiant experts are seeing from how the attacker is getting from on-premises to the cloud and what does that even look like, to the four core techniques that we’ve seen from the attack group,” Douglas Bienstock, manager at Mandiant, told SecurityWeek. “This is meant to provide a narrative about the technique but also call out the objectives and why this should be important to an organization – in other words, why should they care that attackers are doing this.”

The Azure AD Investigator source code is available on GitHub.

In addition to the tool, FireEye on Tuesday published a white paper named “Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452,” which shares recommendations on how organizations can mitigate and address potential attacks targeting their Microsoft 365 environments. The company says the paper offers remediation guidance to entities hit by UNC2452, hardening guidance for those not impacted, and detection guidance that can be useful to everyone.

Advertisement. Scroll to continue reading.

“There’s been a lot of information that’s scattered out there making it difficult for companies to determine what they need to do to investigate their environment to remediate it, or proactively harden against it. This whitepaper is meant to serve as that playbook,” Bienstock said.

Related: FBI, CISA, ODNI Describe Response to SolarWinds Attack

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Related: Microsoft Enables Automatic Remediation in Defender for Endpoint

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.