- The Cybersecurity and Infrastructure Security Agency (CISA) found bad actors used password guessing and spraying "in some cases" for initial access, according to an updated SolarWinds advisory on Wednesday.
- In some cases, CISA found intrusions in organizations where SolarWinds Orion was not in use or the platform was not exploited. In these cases, the agency found evidence of adversarial tactics, techniques and procedures (TTPs) using passwords and "inappropriately secured administrative credentials accessible via external remote access services," according to the advisory.
- The agency said the initial access root cause is still under investigation and the latest findings do not "supersede the requirements" of the initial emergency directive 21-01, where the agency asked federal agencies to power down SolarWinds products.
As investigators and researchers work to understand the full extent of the SolarWinds hack, the latest CISA update points to a constant in cybersecurity: weak passwords.
Password spraying is often described as a brute force attack, where attackers inundate usernames with rounds of passwords, looking for a match, according to Microsoft. When hackers are seeking out specific targets, they'll research an individual, looking for clues on social media or other platforms, to build possible passwords.
"Weak passwords are a major vulnerability that offers an easy entry point to any system no matter how much we spend on sophisticated approaches in other components of the system," said Hanan Hibshi, research and teaching scientist, Information Networking Institute at Carnegie Mellon University’s CyLab Security and Privacy Institute, in an email.
In its advisory, CISA included research from Volexity, which found the advanced persistent threat (APT) leveraged a previously stolen secret key "to generate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App." The same activity was seen in SolarWinds' supply chain hack, leading Volexity to conclude there are undiscovered initial vectors outside of SolarWinds Orion, according to the memory forensics company.
Last week, the Department of Justice found about 3% of their Microsoft Office 365 inboxes were compromised as part of the attack. The APT relied on authentic credentials "in the form of assigning tokens and certificates to existing Azure/Microsoft 365 (M365) application service principals," CISA said in its Wednesday update. The TTP granted attackers escalation tools and a way of "interacting with the Microsoft Cloud tenants."
Microsoft has issued guidance on how organizations can identify whether authentication took place outside of the purview of the system owner and their infrastructure and changes to the identity federation.
If MFA isn't available, CISA advises organizations to use complex passwords consisting of more than 25 characters. Complex passwords hurt user experience, leaving many employees recycling their passwords across platforms and devices.
Password managers can mitigate the risk of poor, overused passwords because it limits how much an employee has to remember. But doing so "does not come without the cost of organizations investing in those solutions," and appropriate employee training, said Hibshi.