Based on a report from BLEEPINGCOMPUTER, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with other Federal Agencies has released a PowerShell-based tool that aims at detecting indicators of compromise (IOC) with relation to the recent SolarWinds breach.
In this breach, foreign hackers were able to obtain privileged, remote access to thousands of large businesses, Federal Agencies, and other organizations for a period of a few months without being detected. During this time, the hackers were able to monitor these networks for intelligence purposes.
Based on recent information from Microsoft about the methods and tactics deployed which allowed attackers to steal credentials and access tokens targeting Microsoft Azure environments, administrators should read these articles to understand what to look for.
The CISA tool, dubbed Sparrow is used to forensically examine, via PowerShell an Azure environment to identify the various IOCs discovered as a part of the post-breach remediation and incident response efforts.
Once launched, Sparrow will check the following areas of Azure:
- Searches for any modifications to the domain and federation settings on a tenant’s domain
- Searches for any modifications or credential modifications to an application
- Searches for any modifications or credential modifications to a service principal
- Searches for any app role assignments to service principals, users, and groups
- Searches for any OAuth or application consents
- Searches for SAML token usage anomaly (UserAuthenticationValue of 16457) in the Unified Audit Logs
- Searches for PowerShell logins into mailboxes
- Searches for well-known AppID for Exchange Online PowerShell
- Searches for well-known AppID for PowerShell
- Searches for the AppID to see if it accessed mail items
- Searches for the AppID to see if it accessed Sharepoint or OneDrive items
- Searches for WinRM useragent string in the user logged in and user login failed operations
Additionally, as previously covered in our blog post about Azure Security Defaults, if you do not have SolarWinds Orion platform in your environment, it is unlikely you have much to worry about with regards to this specific attack… however, you should ensure that, at a minimum, your Azure environment has security defaults (or more stringent) policies enabled for your uses.
If your organization would like to have Midshore Technology Services execute the Sparrow software in your Microsoft 365 and Azure environments, contact us to get on the schedule for an assessment. If you believe that your organization may be compromised or if you are currently running SolarWinds Orion, get in touch with us as soon as possible so a thorough cybersecurity assessment can be executed.
