FireEye Mandiant on Tuesday announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the name currently assigned by the cybersecurity firm to the threat group that attacked IT management company SolarWinds.
The SolarWinds supply chain attack has made hundreds of victims, and potentially impacted entities should check their systems for signs of an intrusion associated with this attack. On the other hand, it’s also important that organizations not impacted by the incident acquire the skills and resources needed to detect and neutralize these types of threats in case they are targeted in the future, particularly since other threat actors are expected to get inspiration from the playbook of UNC2452 for their future operations.
UNC2452 has used some sophisticated techniques to achieve its goals. In terms of moving laterally from on-premises networks to Microsoft cloud systems, FireEye says the attackers used a combination of four main techniques, including the theft of Active Directory Federation Services (AD FS) token-signing certificates for authenticating to targeted users’ accounts, creating Azure AD backdoors, obtaining credentials for high-privileged on-premises accounts synchronized with Microsoft 365, and abusing existing 365 applications to gain access to valuable data.
The new tool from Mandiant, named Azure AD Investigator, allows organizations to check their Microsoft cloud environments for evidence of an attack, and alerts security teams if it identifies artifacts that may require further review.
FireEye has highlighted that a manual review may be needed in some cases as some of the artifacts uncovered by the tool may be related to legitimate activities.
“The purpose of this resource is to empower organizations with the specific methodologies that our Mandiant experts are seeing from how the attacker is getting from on-premises to the cloud and what does that even look like, to the four core techniques that we’ve seen from the attack group,” Douglas Bienstock, manager at Mandiant, told SecurityWeek. “This is meant to provide a narrative about the technique but also call out the objectives and why this should be important to an organization – in other words, why should they care that attackers are doing this.”
The Azure AD Investigator source code is available on GitHub.
In addition to the tool, FireEye on Tuesday published a white paper named “Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452,” which shares recommendations on how organizations can mitigate and address potential attacks targeting their Microsoft 365 environments. The company says the paper offers remediation guidance to entities hit by UNC2452, hardening guidance for those not impacted, and detection guidance that can be useful to everyone.
“There’s been a lot of information that’s scattered out there making it difficult for companies to determine what they need to do to investigate their environment to remediate it, or proactively harden against it. This whitepaper is meant to serve as that playbook,” Bienstock said.