FireEye Releases New Open Source Tool in Response to SolarWinds Hack

FireEye Mandiant on Tuesday announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the name currently assigned by the cybersecurity firm to the threat group that attacked IT management company SolarWinds.

The SolarWinds supply chain attack has made hundreds of victims, and potentially impacted entities should check their systems for signs of an intrusion associated with this attack. On the other hand, it’s also important that organizations not impacted by the incident acquire the skills and resources needed to detect and neutralize these types of threats in case they are targeted in the future, particularly since other threat actors are expected to get inspiration from the playbook of UNC2452 for their future operations.

UNC2452 has used some sophisticated techniques to achieve its goals. In terms of moving laterally from on-premises networks to Microsoft cloud systems, FireEye says the attackers used a combination of four main techniques, including the theft of Active Directory Federation Services (AD FS) token-signing certificates for authenticating to targeted users’ accounts, creating Azure AD backdoors, obtaining credentials for high-privileged on-premises accounts synchronized with Microsoft 365, and abusing existing 365 applications to gain access to valuable data.

The new tool from Mandiant, named Azure AD Investigator, allows organizations to check their Microsoft cloud environments for evidence of an attack, and alerts security teams if it identifies artifacts that may require further review.

FireEye has highlighted that a manual review may be needed in some cases as some of the artifacts uncovered by the tool may be related to legitimate activities.

“The purpose of this resource is to empower organizations with the specific methodologies that our Mandiant expert ..