Protecting the Enterprise Server: After the SolarWinds®/Microsoft® Exchange® Hacks

The SolarWinds breach and the Microsoft Exchange server breach are striking, both in the extent and the breadth of their damage. As reported, at least nine U.S. government agencies and tens of thousands of SolarWinds customers were compromised in the SolarWinds breach, and close to 300,000 servers were likely compromised in the Exchange breach. The damage is ongoing; as part of the attack pattern, backdoor malware designed to give the attackers persistent access to the compromised organizations has been planted for future criminal activity. The recent executive order on cybersecurity testifies to the severity of the problem and the need for a centralized, proactive response.  

Beyond their headline nature, these attacks share features that point to common criminal tactics, techniques, and procedures (TTP), as well as newer trends that extend far beyond the initial breach. These appear to be a harbinger of a new attack strategy aimed at classic trust models that are the foundation of authentication processes. 

Below are the TTP patterns that we have observed. They include expansion of “classic” techniques previously in use, with “novel” strategies employed during these recent breaches. Enterprises should be aware of these techniques, and incorporate the mitigating strategies described below in their control frameworks.    

Criminal tactics 

1. Infiltrate – Gain access into the network and resources 
   • Classic tactics 
     • Use social engineering – Use phishing, targeted spear-phishing, vishing, etc. to infiltrate networks.  
     • Use remote access tools – Use malware that exploits remote desktop protocols, keyloggers, etc. to capture access credentials and data.
   • Novel tactics 
     • Use a supply chain attack – Compromise a software update supplied by another company (e.g., in the SolarWinds attack, a software upgrade was used as a criminal vector). 
     • Use zero days – Use previously unseen (zero-day) vulnerabilities (e.g., in the Exchange breach, four zero-days were exploited by a Chinese hacking group).  
     • Compromise APIs – Compromise application program interfaces (APIs) that interconnect web infrastructure platforms (also used in the Exchange hack).  
2. Target – Identify key information assets and exploit vulnerabilities 

   • Classic tactics 

     • Target the enterprise server (and other “rich attack vectors”) – Enterprise servers provide the means for a “rich” criminal payload. They are frequently one of the first targets of an attack once a criminal has established a foothold into an organization’s network.  

       • They often run with high-privilege accounts and have broad connectivity across the network to other high value targets.  

       • Compromising these high-level accounts provides subsequent access rights to greater network resources and layers of sensitive data (i.e., business proprietary or customer related). Both are housed on the server, or accessed elsewhere via lateral network movement.  

       • Once a privileged account has been compromised it becomes increasingly difficult to detect the attacker’s action as nefarious. This explains why the average time it takes organizations to detect a breach is 220 days. 

     • Target on-premises “non-virtualized” servers – On-premises non-virtualized servers present a preferred “softer” target to criminals.  

       • They often require downtime for updates, increasing the likelihood of firms not getting around to implementing protective controls.  

       • IT departments must negotiate maintenance windows that are often too narrow to sufficiently deploy patches to all servers or to ensure that patches were successfully installed.   

   • Novel tactics 

     • Compromise Active Directory – The Active Directory database and services contains critical information about the user environment, including users and permissions. Accessing AD gives criminals the “keys to the kingdom.” 

     • Compromise SSO SAML tokens – Security Assertion Markup Language (SAML) tokens are authentication tools used during single-sign on (SSO). Sophisticated attackers know that a once a user has logged into the main system, they do not need to reenter their credentials into each individual system; rather there is trust between systems that implement SSO.  
       Attackers have identified a means to compromise SSO, permitting themselves to appear as the trusted user. This compromise can be detected with sufficient analysis of the SSO trust, but the majority of security detection controls implemented do not do a thorough enough check. Thus, forged trust passes through security boundaries without detection. For example, a standard SSO trust is valid for 30 minutes to one hour. The SolarWinds trust time was set to one day, which is a red flag that could have led to the detection of compromise. 

     • Jump from enterprise server to access Microsoft ® Azure ® Cloud –Microsoft has a tool that is designed to connect the enterprise Active Directory to the Azure Active Directory via the use of a trust. Attackers forge this trust during the compromise of the enterprise server. They then use this forged trust with Microsoft’s Azure AD Connect tool to move from on-premises to Microsoft’s Azure Active Directory. The Azure AD connection gives attackers access the company’s cloud applications such as Microsoft ® Office ® 365. The result is that an attack to an enterprise server creates access to the firm’s Azure cloud applications. 

     • Broaden access to sensitive data, now and for the future – Once in, and having accessed a wide range of data, criminals gain access for later exploits. They plant “back door” criminal access points now to be activated later. They use credential information they have gained for business email compromise, spying, ransomware attacks, and other exploits.  

Action plan 

There are steps companies can and should do to protect themselves from both “classic” and “novel” criminal tactics. Use these and similar steps as part of a vulnerability detection and management program. Work with your managed service provider and cybersecurity advisor to tailor these steps for your organization.

• Conduct a business impact analysis – Have a full inventory and knowledge of the server’s criticality to the business. Know your server. Know all the software, hardware, and firmware that is running on the server. Know its applications, users, access privileges, and the network connections that an attacker would have if the server were compromised. Create a forensic image of the server.  

• Reduce the surface area – Segment the network with demilitarized zones that would make it more difficult for an attacker to pivot across the network.  

• Reduce server exposure– Move internet facing applications, APIs, and websites behind web application firewalls. 

• Reduce privileges – Ensure that the principal of least privileges, in which users are given minimum levels of permissions necessary to perform job functions, is applied. Make sure that default high-level passwords are replaced with long, difficult to crack passphrases. Audit privileged accounts periodically and enforce multi-factor authentication (MFA) where possible. 

• Harden the server – Disable all operating system services and close ports that are not necessary to the functioning of the server. Thoroughly test internet-facing application software with a specific security focus (e.g., the Web Security Testing Guide of the Open Web Application Security Project® (OWASP).  

• Use detection tools – Employ behavior analytics tools that can detect and alert regarding possible compromise. Set these tools to inspect a broad set of SAML data values for inconsistencies and irregularities. For example, Microsoft’s Cloud App Security software is designed to detect this type of attack through the use of “Impossible Travel” logins that detect when a user’s account is accessed from one location then from a separate location that is at a distance greater than that user could travel in the time between logins. 

• Configure for maximum protections – Update settings for maximum security, e.g., employ a zero trust model in which everything trying to connect is verified. Make sure that SSO times do not extend beyond the 30–60-minute expiration limit.  

• If possible, consider moving from an on-premises to a centralized server (e.g., O365). While the costs may be greater, security can be easier to maintain. 

As threats evolve, so must defenses 

The recent SolarWinds and Exchange Server breaches provide a stark reminder of the attractiveness of enterprise IT resources to criminals. By breaching these servers, perpetrators have been able to exploit Active Directory information at all levels, and gain access to a wealth of data. Further, they have been able to use this access as a jumping off point for further exploitation, whether now or at a later point. The damage is ongoing. 

To stay ahead of these new and evolving threats, companies must take active steps to protect enterprise servers. This includes ramping up threat detection and control activities, such as comprehensively inventorying server information, carefully administering MFA and access rights, hardening the server, reducing surface areas, employing detection tools, and moving toward a “zero-trust model.” These steps are recommended both for on-premises and cloud-based enterprise servers. 

Considering the importance of enterprise servers to the company, and the damage criminals can cause by breaching them, moving forward with these enterprise server protection steps is a means to protect the enterprise as a whole.  

How we help 

ACA Aponix offers the following solutions that can help your firm protect itself in relation to this and similar cybersecurity warnings, and to enhance its cybersecurity in general:  

• Risk assessments and regulatory compliance testing services 

• Threat Intelligence, phishing testing, and monitoring 

• Operational resilience and governance 

Download our Aponix Protect™ cybersecurity solution brochure. 

If you have any questions, please contact your ACA Aponix consultant or contact us below.