30 December 20, 18:42
Quote:Microsoft says that the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks.
No new tactics, techniques, and procedures (TTPs) were shared in a blog post published on Monday to provide Microsoft 365 Defender users with threat hunting techniques for investigating Sunburst attacks.
However, Microsoft also shared another important bit of information: the end goal of the SolarWinds hackers' attacks, something that was only hinted at previously.
As the Microsoft 365 Defender Team explains, after infiltrating a target's network with the help of the Sunburst backdoor, the attackers' goal is to gain access to the victims' cloud assets.
"With this initial widespread foothold, the attackers can then pick and choose the specific organizations they want to continue operating within (while others remain an option at any point as long as the backdoor is installed and undetected)," Microsoft explains. "Based on our investigations, the next stages of the attack involve on-premises activity with the goal of off-premises access to cloud resources [..]."
Microsoft's previous articles on the SolarWinds supply chain attack and National Security Agency (NSA) guidance also hinted at the fact that the attackers' ultimate goal was to generate SAML (Security Assertion Markup Language) tokens to forge authentication tokens allowing access to cloud resources.
Read more: https://www.bleepingcomputer.com/news/se...loud-data/