Hackers breaking into networks without SolarWinds, CISA says

The Cybersecurity and Infrastructure Security Agency says hackers are breaching federal networks by exploiting methods besides the SolarWinds Orion vulnerabilities.

"Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Jan 6. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)."

SAML tokens having a 24-hour validity period or not containing multi-factor authentication details where expected are examples of these red flags.

As more about the SolarWinds Orion breach has surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government's networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software.

CISA's new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.

"Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure," according to the agency's guidance. "Where this technique is used, it is possible that authentication can occur outside of an organization's known infrastructure and may not be visible to the legitimate system owner."

In cases where administrative level credentials were compromised, organizations should conduct a "full reconstruction of identity and trust services," CISA said. Microsoft published a query to help identify this type of activity.

CISA's guidance also instructs federal agencies to conduct forensic analysis and harden their systems if they "accept the risk of SolarWinds Orion." Federal agencies are required to submit two status reports to CISA on those efforts later this month.

Tatyana Bolton, a cybersecurity expert at the R Street Institute, said the news of new vectors and vulnerabilities is "unsurprising" and that more will likely be found because of "how weak the U.S. federal cybersecurity requirements currently are."

"There are best practices that we already know could help prevent breaches like this, but we have lacked the political will to implement them," she said, noting practices such as developing federal cloud security certification and improving readiness for incident response and recovery.

"All of these were recommendations made by the Cyberspace Solarium Commission in its recent report, and need to be implemented yesterday," she added.

The New York Times on Jan. 6 reported the intelligence community and private cybersecurity investigators, believe JetBrains, a company used for software development that originates from the Czech Republic, may have been used as a pathway for hackers to breach the federal government's networks. The company told The Times it was not aware of any compromise or ongoing investigations.

This article was first posted on FCW, a sibling site to Defense Systems.