SolarWinds hackers also guessed passwords of many victims

Passwords
(Image credit: Shutterstock)

The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that the threat actor behind the recent SolarWinds hack was able to guess the passwords of many victims as they did not use a password manager to generate strong, complex passwords.

In its initial advisory on the SolarWinds hack, CISA said that it was also investigating cases where the threat actor responsible was able to breach targets who were not running the company's Orion software. 

Now in an update to its original advisory, the agency has confirmed that password guessing, password spraying and unsecured credentials also played a role, saying:

“Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst). However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.”

Detecting threat activity

Once the hackers gained access to internal networks or cloud infrastructure, they escalated access in order to gain administrator rights according to CISA. They then forged authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources on a company's network without the need for valid credentials.

Based on a report from Microsoft published in late-December, the hackers main goal was to access cloud-hosted infrastructure including the software giant's Azure and Microsoft 365 environments.

CISA has published a second advisory to help organizations search Microsoft-based cloud setups for any traces of the SolarWinds hackers' activity and to remediate their servers. The agency says that its guidance is “irrespective of the initial access vector” which means that it applies to organizations that used the trojanized Orion app as well as those who credentials were obtained in either password guessing or spraying attacks.

At the same time, organizations can use CISA's tool Sparrow as well as CrowdStrike's similar tool called CST to detect possible compromised accounts and applications in Azure Microsoft 365 environments.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.