Dark Halo Leverages SolarWinds Compromise to Breach Organizations

Volexity documents attacks by a sophisticated actor they call Dark Halo (overlapping with FireEye's UNC2452) that used a backdoored SolarWinds Orion update to gain access, executed Exchange Management Shell and PowerShell commands to enumerate and export targeted mailboxes, bypassed Duo MFA by extracting the Duo integration secret to forge valid duo-sid cookies, staged and exfiltrated password-protected PSTs via OWA, and left numerous indicators (IPs, domains, SSL-hosted domains) and recommended mitigations such as resetting MFA integration keys and credentials and monitoring Exchange Management Shell activity.