Security News > 2021 > January > FireEye Releases New Open Source Tool in Response to SolarWinds Hack
FireEye Mandiant on Tuesday announced the release of an open source tool designed to check Microsoft 365 tenants for the use of techniques associated with UNC2452, the name currently assigned by the cybersecurity firm to the threat group that attacked IT management company SolarWinds.
The SolarWinds supply chain attack has made hundreds of victims, and potentially impacted entities should check their systems for signs of an intrusion associated with this attack.
In terms of moving laterally from on-premises networks to Microsoft cloud systems, FireEye says the attackers used a combination of four main techniques, including the theft of Active Directory Federation Services token-signing certificates for authenticating to targeted users' accounts, creating Azure AD backdoors, obtaining credentials for high-privileged on-premises accounts synchronized with Microsoft 365, and abusing existing 365 applications to gain access to valuable data.
The new tool from Mandiant, named Azure AD Investigator, allows organizations to check their Microsoft cloud environments for evidence of an attack, and alerts security teams if it identifies artifacts that may require further review.
"The purpose of this resource is to empower organizations with the specific methodologies that our Mandiant experts are seeing from how the attacker is getting from on-premises to the cloud and what does that even look like, to the four core techniques that we've seen from the attack group," Douglas Bienstock, manager at Mandiant, told SecurityWeek.
In addition to the tool, FireEye on Tuesday published a white paper named "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452," which shares recommendations on how organizations can mitigate and address potential attacks targeting their Microsoft 365 environments.