SolarWinds Hackers Continue to Exfiltrate Active Directory Through Targeted Backdoor

As you may have seen earlier today, Microsoft released new data on malware that the "SolarWinds hackers" have allegedly been using since April, a "highly targeted backdoor" that exfiltrates data from Active Directory servers. While Microsoft has notified all customers observed as being compromised by this activity, there is more organizations need to be doing to better secure Active Directory. AD expert, Darren Mar-Elia, VP of Product at Semperis had this say about this latest discovery:

“If Active Directory (AD) represents the keys to the kingdom, then AD Federation Services (ADFS) represents the keys to the "cloud kingdom". For any organizations that federate to cloud applications, platforms such as ADFS represent the pathway to gaining unfettered access to these cloud applications.

This compromise path of stealing credentials from AD, using those credentials to gain privileged access to ADFS and then using ADFS' secrets to access any of an organizations federated cloud applications, is a dangerous escalation of well-worn lateral movement attacks--introducing "vertical movement" where on-prem identity compromise is used to compromise cloud-based resources and data. Frankly, while this is targeting ADFS--a Microsoft product--other cloud federation platforms are not immune to the same style of attack. The common denominator here is that once trust of Active Directory is lost, so goes all on-prem and cloud resources that rely on it.”