2. SVR Targeted Admin Credentials, Not Software Flaw

Unlike the SolarWinds attack, the hackers have not attempted to exploit any flaw or vulnerability in software this time around. Instead, Microsoft said the SVR has targeted the privileged accounts of service providers to move laterally in cloud environments, leveraging their trust relationships to gain access to downstream customers and enable further attacks or access targeted systems.

“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” Carmakal said in a statement. “It shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses.”

In the observed supply chain attacks, downstream customers of resellers and service providers are also being targeted by the SVR, Microsoft said. In these instances, customers have delegated administrative rights to the resellers and service providers that allow the solution provider to manage the customer’s tenants as if they were an administrator within the customer’s own organization, Microsoft said.