While the majority of victims of the SolarWinds supply chain attack were breached through the compromised Orion update, some had their perimeters breached via brute force password techniques.
According to a recently updated advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the SolarWinds attackers didn’t always rely on the poisoned Orion update as the initial access vector.
“CISA incident response investigations have identified that initial access in some cases was obtained by password guessing [T1101.001], password spraying [T1101.003], and inappropriately secured administrative credentials [T1078] accessible via external remote access services [T1133],” the agency said.
Once inside, the attackers escalated access to gain admin rights and then created authentication tokens that would allow them to move through the network without the need to solve 2FA or provide extra credentials.
The attackers used compromised Office 365 credentials to access SolarWinds’ network. Once inside, they planted malicious code into an upcoming patch for its Orion software, which was downloaded 18,000 times, triggering a secondary payload.
The supply chain data breach, which was first spotted by cybersecurity experts at FireEye, was described as one of the most devastating attacks of 2020, mostly because a number of US government organizations were compromised, as well.
The goal of the campaign seems to be espionage and data harvesting.