Security "Bits"

Solar Winds, Office 365 & Shipbuilding...

By Nat Kausik | January 13, 2021 at 12:52 PM

ship hull

Early ships had a single continuous and connected hull. Easier to build, but easy to sink as a breach of the hull filled all of it with water. Multiple watertight hull compartments made ships safer, and a vessel could be made virtually unsinkable if it were divided into enough small compartments.  What's that got to do with Solar WInds and Office 365?


Microsoft released a fascinating tech note on the impact of the Solar Winds breach titled "Using Microsoft 365 Defender to protect against Solorigate."   According to that tech note, the hacker fans out from a single compromised Windows device in an organization as follows:

  1. Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device
  2. Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods:
    1. Stealing the SAML signing certificate (Path 1)
    2. Adding to or modifying existing federation trust (Path 2)
  3. Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud

Item 3 above grants the hacker access to Office 365, Azure AD, MCAS and beyond.  In short, if the organization is a "Microsoft shop," it is guaranteed to be breached end-to-end. 

Enterprises that favor Microsoft security infrastructure are essentially ships with a single connected hull.  A hole in one place ensures the ship sinks.  In contrast, enterprises that use independent IdP, CASB, Malware protection etc, have hull compartments to ensure that a leak in one compartment does not sink the ship, so to speak.

Learn more about best practices for protecting against Ransomware and Malware in the distributed enterprise.

Download Now





see all