SolarWinds Attackers Manipulated OAuth App CertificatesProofpoint Update Describes the Fraud Tactics
The SolarWinds supply chain attackers manipulated OAuth app certificates to maintain persistence and access privileged resources including email, according to researchers at Proofpoint.
OAuth is an open standard for authorization that allows a third-party application to obtain access to a cloud service. Based on its analysis of over 20 million cloud accounts in Europe and the U.S., Proofpoint concludes the SolarWinds attackers abused OAuth apps to lurk inside compromised cloud accounts.
"Any OAuth app that has broad access permissions is a potential security risk to your organization," the researchers note.
Researchers found that the SolarWinds-related attacks mainly targeted the U.S., Europe and Mexico.
In another recent development, Swiss cybersecurity firm Prodaft said Monday it had accessed several servers used by the SolarWinds supply chain attackers. A group it dubbed SilverFish conduced "extremely sophisticated" cyberattacks to perform reconnaissance and exfiltrate data from at least 4,720 targets, Prodaft said. Although U.S. authorities say the supply chain attack was part of a Russian cyberespionage operation, Prodaft stopped short of attributing the attack to a specific nation-state.
The Role of Certificates
Proofpoint researchers say that manipulated X.509 OAuth certificates played a crucial role in the SolarWinds attack. Internet protocols use these certificates to transfer data privately and securely between a server and a client.
"When signed by a trusted certificate authority, this digital certificate verifies that you are who you say you are - the domain, organization or the individual contained within the certificate. Attackers can steal certificates or create them by compromising signing systems," the researchers note.
The manipulation of OAuth app certificates enabled the attackers to maintain persistence on accounts the attackers accessed as a result of the installation of a backdoor known as Sunburst in SolarWinds' Orion network monitoring platform, researchers say. The attackers were able to generate signed certificates from an admin’s compromised endpoint.
Once they fraudulently generated a certificate, the attackers added it to the application service principal visible in the applications “certificates and secrets” section in the Azure portal, Proofpoint says.
"The attacker chose a previously authorized application, one with highly privileged permissions, such as application type mail scopes or even directory roles. Once the attacker chose an application and added the certificate, an OAuth2.0 token was generated by sending a JSON Web Token [JWT] post request to the authorization server," the researchers note.
After the token was granted, the attackers used it to access the resources permitted to the authorized application, bypassing the application altogether. The researchers note that such types of attacks are rarely detected.
"Although the SolarWinds attack was not a cloud-based attack, it did utilize this method in order to maintain persistence and have mail visibility that would not have been available when using the Sunburst [backdoor] malware alone," the researchers say.
The SolarWinds supply chain attack is believed to have begun in March 2020 when attackers installed the backdoor in an Orion software update.
Up to 18,000 customers installed and ran the Trojanized software. Later, attackers launched follow-on attacks on nine U.S. government agencies and about 100 private sector firms, federal investigators say (see White House Preparing 'Executive Action' After SolarWinds Attack).
The Proofpoint researchers explain that OAuth apps can easily be exploited, and an attacker can use OAuth access to compromise and take over cloud accounts. Until the OAuth token is explicitly revoked, the attacker has persistent access to the user’s account and data.
"These [exploited] apps usually require sensitive user delegated permissions so they can avoid being detected by an IT administrator and still get access to the sensitive resources," Proofpoint says.
"Such resources may include email, which allows reading, sending on users' behalf and setting up mail-forwarding rules; files to exfiltrate data or plant malware to share with contacts; and other resources that allow access to data or enable lateral movement within the organization," the researchers note.
OAuth abuse by attackers is widespread, Proofpoint says.
"Over the last year, threat actors targeted 95% of organizations with cloud account compromise attempts and more than 50% have experienced at least one compromise," the company says. "Of those compromised, over 30% experienced post-access activity including file manipulation, email forwarding and OAuth activity."
Researchers found that 10% of the organizations had mistakenly authorized malicious OAuth apps, which allow attackers to access and manage user information and data while also signing into additional cloud apps.