3. Hackers Forged Tokens To Impersonate Privileged Accounts
The hackers used administrative permissions acquired through on-premises compromise of SolarWinds Orion to access a victim’s trusted SAML token-signing certificate, said John Lambert, distinguished engineer in Microsoft’s Threat Intelligence Center. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
A compromised token-signing certificate can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate, Lambert wrote in a blog posted Sunday. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the victim.
Using highly privileged accounts acquired through this technique, Lambert said attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.