Amazon Web Services|Cloud Computing|Microsoft Azure

AWS and Azure used in SolarWinds Attack

The SolarWinds exploit was one of the biggest security breaches of the past year. There’s now no doubt that this cyberattack was the result of a very sophisticated effort. Microsoft estimated that it was the likely result of a 1000 engineers working on the creation of the malware. The attack worked by compromising SolarWinds’ software update service for their Orion IT infrastructure management product.  It is thought that weak passwords are one of the factors that allowed the cyber attackers to get a foothold into the SolarWinds processes. The attack spread to approximately 18,000 users of the Orion product and many U.S. government agencies including the: Commerce, Treasury, Homeland Security and Justice Departments.

However, one of the interesting things about the attack was the level of sophistication it used by incorporating multiple cloud platforms in its construction. The malware made use of systems on both AWS and Azure. I should point out that these cloud providers are not responsible for the execution of this cyberattack – these platforms were just tools used in the attack. The attackers signed up for cloud accounts and leveraged cloud platform resources just like any other customer. While I’m sure this type of usage would violate their terms of the agreement, something would need to bring that to the attention of the cloud provider and subterfuge is a big part of these types of cyberattacks.

The cyberattack used Azure as the primary domain and then it used AWS for the subdomains. They used Azure to set up a DNS infrastructure that resolved domain names used by the malware; AWS hosted most of the secondary command and control (C2) nodes. After installation at the target organization, the malware used an initial delay of about two weeks to avoid detection, and then it contacted the malware-created domains on Azure. The malware DNS servers in Azure returned IP addresses for the C2 servers in AWS. Next, the installed malware began communicating with the AWS servers using those IP addresses. The AWS C2 servers then began controlling and sending commands to the malware programs running on the SolarWinds host.

After the attack became public, Microsoft revoked the certificates that the malware was using. Then they took down the attack infrastructure in Azure which prevented the malware from communicating with the AWS servers. Finally, they added the malware to Windows Defender so that Defender would remove and automatically quarantine the malware if it were found. Microsoft and Amazon have both said they had shared what they learned about the attack with law enforcement. The attack was notable enough that congress convened a hearing about the attack. However, Amazon did not attend the congressional hearing.  AWS vice president of public policy Shannon Kellogg said they “were not compromised in any way, which is why we did not provide formal testimony on the panel yesterday.”

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

The heavy use of these cloud technologies shows that cybercriminals and their attacks are continuing to rise in sophistication just as the supporting technology increases in sophistication. I suppose most cyberattack victims call every cyberattack sophisticated and many times they’re not wrong. However, in the case of the SolarWinds exploit, security experts are pretty much unanimous that the term is warranted in this case. It does give cause for worry and to implement stronger security measures as it’s clear that cybercriminals are now leveraging the cloud just like legitimate businesses do.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Michael Otey is president of TECA, a technical content production, consulting and software development company in Portland,
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: