‘SolarWinds Hackers’ Now Hitting Resellers: 5 Things To Know
From leveraging anonymous infrastructure and taking advantage of delegated administrative privileges to gaining access to virtual machines, here’s how the group behind the SolarWinds attack is going after resellers.
5. Delegated Administrative Privileges Difficult To Find
The SVR has taken advantage of delegated administrative privileges in their latest campaign against resellers, leveraging that access to extend downstream attacks through externally facing VPNs or unique tools that enable network access, Microsoft said. This attack path has been used to obtain access to both on-premises and cloud victim environments, according to Carmakal.
“These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by administrators,” the Microsoft Threat Intelligence Center (MSTIC) wrote in a blog post Monday.
Starting in November, Microsoft said a new reporting tool will be available that identifies and displays all active delegated administrative privilege connections to help companies discover unused connections. This tool will provide reporting that captures how partner agents are accessing client tenants through these privileges and will allow partners to remove the connection when not in use, Microsoft said.