The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that the threat actor behind the recent SolarWinds hack was able to guess the passwords of many victims as they did not use a password manager to generate strong, complex passwords.
In its initial advisory on the SolarWinds hack, CISA said that it was also investigating cases where the threat actor responsible was able to breach targets who were not running the company's Orion software.
- We've put together a list of the best business password managers
- These are the best security keys on the market
- Also check out our roundup of the best identity management software
Now in an update to its original advisory, the agency has confirmed that password guessing, password spraying and unsecured credentials also played a role, saying:
“Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst). However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.”
Detecting threat activity
Once the hackers gained access to internal networks or cloud infrastructure, they escalated access in order to gain administrator rights according to CISA. They then forged authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources on a company's network without the need for valid credentials.
CISA has published a second advisory to help organizations search Microsoft-based cloud setups for any traces of the SolarWinds hackers' activity and to remediate their servers. The agency says that its guidance is “irrespective of the initial access vector” which means that it applies to organizations that used the trojanized Orion app as well as those who credentials were obtained in either password guessing or spraying attacks.
At the same time, organizations can use CISA's tool Sparrow as well as CrowdStrike's similar tool called CST to detect possible compromised accounts and applications in Azure Microsoft 365 environments.
- We've also highlighted the best antivirus software