A signage of Microsoft is seen on March 13, 2020, in New York City. Mandiant on Friday reported that UNC2452 – the group responsible for the SolarWinds attack – and other threat actors are moving laterally to the Microsoft 365 cloud. (Jeenah Moon/Getty Images)

Mandiant on Friday reported that its researchers had recently observed UNC2452 – the group responsible for the SolarWinds attack – and other threat actors moving laterally to the Microsoft 365 cloud.

Security researchers say these groups are largely funded by nation-states and their primary purpose is gathering intellectual property and intelligence primarily valuable to governments.

In a blog post, the researchers said the threat actors are using Microsoft Exchange Web Services (EWS) impersonation to maintain persistent access to mailboxes in victim environments. The researchers said once the threat actors have access, it’s hard to detect and the threat actor can control every mailbox in a victim’s tenant.

“Mandiant has also observed targeted threat actors abusing the trust relationships between cloud service provider organizations and their customers to laterally move from service providers to their downstream customers and gain administrator privileges in the target tenants,” according to Mandiant researchers.

Mandiant has updated its blog post, a white paper and an Azure AD Investigator tool to reflect the latest findings by its researchers.

This year's Microsoft Exchange vulnerabilities likely caused more organizations to move to the cloud, already a trend that's been well underway for years, said Sean Nikkel, senior cyber threat intelligence analyst at Digital Shadows. Nikkel said this means that there are probably many Microsoft 365, Azure, or similar cloud services that were hastily deployed or otherwise incorrectly configured, which gives attackers a way in.

Nikkel said user access management becomes crucial in this instance. He said Organizations should audit accounts regularly to ensure the correct privileges are assigned while also ensuring that newly created accounts are legitimate and old or unused accounts are removed. Security teams should also look for activity that seems suspicious, whether through hunting or security tool alerts, while also focusing on higher-value targets such as administrators or services operating with elevated privileges.

Mandiant's overlay of adversary techniques with MITRE ATT&CK is reasonably comprehensive, and they should use these tools and guidelines as a starting point, but it will take work,” Nikkel said. “Finally, understanding where potential attacks might occur through a third party or an otherwise uncontrolled attack surface is crucial. Implementing controls through a zero-trust model may also be a worthwhile look since this can take away an attacker's ability to move throughout a network and take other arbitrary actions post-compromise. This takes some planning and work to implement effectively. You can have a strong castle with the best defenders and defenses available, but if you left the back door open, it's all for naught.”

Chuck Everette, director of cybersecurity advocacy at Deep Instinct, explained that the threat actors named UNC2452 are a sophisticated group of cybercriminals. Historically, he said they have targeted  government entities, technology firms, and some institutions of higher education and their main goal revolves around the stealing of information. This includes emails, intellectual property, and internal security documents.

“They don’t seem to be interested in PII or financial data, nor are they disruptive or destructive,” Everette said. “This group is a large collective of highly-skilled personnel that is well-resourced, with dedicated infrastructure, and thought to be nation-state sponsored due to the information stolen being of use to a country or military organization. The data has had very little economic value, but significant value to governments.”

Everette added that the nature of their attacks are not performed by a standard playbook or a normal linear progression: they are highly adaptive, they use a large number of sophisticated techniques to manipulate and access multiple systems, creating backdoors for future return visits. Everette said their latest attack vectors have been heavily focused on the use of the Golden SAML Attack.

“Once they’ve gained access into the victim’s environment, they then steal the encrypted token signing certificate for the environment,” Everette said. “This allows them to create backdoors into email systems, databases, as well as create fake AD accounts and modify trusted domains they can then forage authentication tokens and bypass MFA and password requirements for systems such as Office 365. This essentially allows them to authenticate as any Office 365 user.” 

John Hammond, senior security researcher at Huntress, said these new observations against UNC2452 ultimately boil down to the core steps outlined in the standard cyber kill chain.

“Once a threat actor gains access into an environment, they maintain persistence with certain implants, move laterally across different targets and continue post-exploitation,” Hammond said. “Given Mandiant's research on UNC2452, security teams should specifically monitor rogue activity in mailboxes, unordinary account usage in event logs, and revisit the trusts and access policies between local systems and cloud service providers."