CISA (Cybersecurity & Infrastructure Security Agency) has issued a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure and Private Sector Organizations. This alert focuses on activity that CISA attributes to attack vectors other than SolarWinds Orion.
What CISA Has Seen:
- An APT (advanced persistent threat) actor using compromised applications in victim’s MicroSoft 365/Azure environment.
- An APT actor utilizing additional credentials and API (application programming interface) access to cloud resources of public and private sector organizations.
TTPs (techniques, tactics & procedures) that include the following three components:
- Compromising or bypassing federated identity solutions.
- Using forged authentication tokens to move laterally in MS cloud environments to avoid raising suspicion.
- Using privileged access/escalation in a victim’s cloud environment to establish persistence and gain access to sensitive information.
The above-referenced companion alert also details detection methods and mitigations via open source tools.