Connect with us

Hi, what are you looking for?



Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Using indicators of compromise (IoCs) made available by FireEye, threat intelligence and incident response firm Volexity determined that the threat group behind the SolarWinds hack targeted a U.S.

Using indicators of compromise (IoCs) made available by FireEye, threat intelligence and incident response firm Volexity determined that the threat group behind the SolarWinds hack targeted a U.S. think tank earlier this year, and it used a clever method to bypass multi-factor authentication (MFA) and access emails.

IT management and monitoring solutions provider SolarWinds has confirmed that a sophisticated threat group compromised the software build system for its Orion monitoring platform, allowing it to deliver trojanized updates to the company’s customers between March and June 2020.

The campaign apparently targeted several U.S. government organizations — including the DHS, the Treasury Department and the Commerce Department — as well as many other organizations in North America, Europe, Asia and the Middle East. FireEye was apparently also targeted by the same group, which managed to steal some Red Team tools from the cybersecurity firm.

SolarWinds said in a SEC filing that 18,000 of its 300,000 customers may have used the compromised products. One of those customers, according to Volexity, was a U.S.-based think tank that failed to detect the attackers’ presence and, once it did detect them, failed to keep them out.

Volexity said the group, which it tracks as Dark Halo (FireEye tracks it as UNC2452), remained undetected for several years. When they breached the think tank’s systems for a second time, the hackers leveraged a vulnerability in the organization’s Microsoft Exchange Control Panel and used a novel technique to bypass MFA from Cisco-owned Duo Security and access emails.

When the attackers struck the third time, in June and July 2020, they exploited the SolarWinds Orion product.

“At the time of the investigation, Volexity deduced that the likely infection was the result of the SolarWinds box on the target network; however, it was not fully understood exactly how the breach occurred (i.e., whether there was some unknown exploit in play, or other means of access), therefore Volexity was not in a position to report the circumstances surrounding the breach to SolarWinds,” Volexity said.

Advertisement. Scroll to continue reading.

However, the most interesting part of Volexity’s report describes how Dark Halo bypassed MFA during the second breach it observed at the think tank. The method involved bypassing the Duo MFA to access an email account through the victim’s Outlook Web App (OWA) service.

“Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid,” Volexity explained.

“Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account,” it added.

Volexity has clarified that the method did not involve exploitation of a vulnerability in the Duo product. The attack was possible due to the victim’s failure to change all secrets associated with key integrations after the breach was discovered.

SolarWinds also reported observing an attack targeting its Office 365 email systems, but it has yet to determine if it was related to the Orion hack. In a blog post on the attacks, Microsoft also described interesting methods used by the hackers to access emails.

While some reports say Russia is behind the SolarWinds hack, specifically the group tracked as APT29 and Cozy Bear, Volexity said it had found no links during its investigation to a known threat actor. Russia has denied the allegations.

Related: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication

Related: Cisco Research Shows High Success Rate in Bypassing Fingerprint Authentication

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.