10 Boldest Statements From The SolarWinds Senate Hearing
Senators and tech executives discussed how the SolarWinds hackers used AWS’ infrastructure, took advantage of Microsoft’s authentication process, dwelled in FireEye’s systems and remained undetected for months.
2. CrowdStrike, Microsoft Spar Over Microsoft’s Culpability
Kurtz: The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network as well as between the network and the cloud by creating false credentials impersonating legitimate users and bypassing multifactor authentication. …
One of the most sophisticated aspects of the campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Services. The Golden SAML attack allowed them to jump from customer on-premise environments and into cloud and cloud applications, effectively bypassing multifactor authentication. This specific attack vector was documented in 2017, and operates at a cloud-scale version of similar identity-based attacks I originally wrote about in 1999. …
Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms. It is our every hope and, I imagine, the hope of the entire cybersecurity community either that they are able to do so or that we can move to a more community-driven approach to authentication.
Smith: The forged identity refers to an industry standard—SAML. It’s a markup language. It’s an industry standard that is supported by a wide variety of products, including our own. Actually, as we investigated this incident, we found that it was relevant in only 15 percent of the cases. And in those 15 percent, in every instance, this tool was used to add access capability only after the actor was in the network, had obtained access with what we call elevated privileges, and was able to move around and then use this.
This particular standard—the SAML standard—was created in 2007. So long before 2017, we and many other companies in the industry have been working to move people towards a more modern authentication standard. And there has been one that has been around since 2012.