The Cybersecurity and Infrastructure Security Agency (CISA) late Friday issued a new alert – stemming from the Russian hack of SolarWinds Orion products – in which CISA warns it has uncovered evidence of post-hack advanced persistent threat (APT) activity in the cloud environment.
The alert says CISA has “seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations.”
The activity flagged by CISA, the agency said, is in addition to what it previously described in a Dec. 17 alert released shortly after the SolarWinds hack became public.
In response to today’s alert, CISA issued new resources to describe the APT activity and offer guidance on open-source remediation tools.
“Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise,” the agency said, adding that it “strongly encourages users and administrators” to review its alert for additional information and detection countermeasures.