According to a recent report by Mandiant, two hacker groups associated with the SolarWinds hack (UNC3004 and UNC2652) have continued to decide on ways to better compromise a large number of targets.
These tactics include the use of login credentials stolen by finally motivated hackers who can compromise UNC3004 and UNC2652 targets without using a hacked service provider.
Once they gain access to a company’s network, they compromise corporate filters with “application impersonation privileges.” Once this account is hacked, the hackers no longer need to break into each account individually. In addition, the attackers misuse legitimate private proxy services or localized cloud providers such as Azure to connect to end targets.
Attackers also use clever methods to bypass security constraints, one of which involves extracting virtual machines to determine internal routing configurations of the network configurations of the networks they wish to hack.
For more information read the original story in Arstechnica.