local-to-cloud: NSA warns of federated login abuse for attacks

The US National Security Agency has published a security advisory on Thursday warning about two techniques hackers are using to escalate access from compromised local networks into cloud-based infrastructure.

The advisory comes on the heels of the massive SolarWinds supply chain hack that has hit several US government agencies, security firm FireEye, and most recently, Microsoft.

local-to-cloud: NSA warns of federated login abuse for attacks
NSA Headquarters

While the NSA doesn’t specifically mention the SolarWinds hack in its advisory, both techniques described in the document have also been spotted being abused by the SolarWinds hackers to escalate access to cloud resources after initially gaining access to local networks via the trojanized SolarWinds Orion app — as per advisories from FireEye, Microsoft, and CISA (the US Cybersecurity and Infrastructure Security Agency).

Recommended:   Track My Phone For Free Online – Find My Phone

As not to distort the NSA’s message, we’ll quote details about the two techniques directly from the agency’s advisory:

“In the first [technique] , the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.

Recommended: Newly Updated: IHG Merlin Login portal Page

In a variation of the first TTP, if the malicious cyber actors are unable to obtain a non-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

Recommended:   Hallsville High school – Hallsville Independent School District

In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious.”

The NSA notes that neither technique is new and that both have been used since at least 2017, by both nation-state groups but also by other types of threat actors.

Furthermore, the NSA adds that neither of the two techniques exploits vulnerabilities in federated authentication products, but they rather abuse legitimate functions after a local network or admin account compromise.

Recommended:   Hackers are predicted to be selling more than 85 000 MySQL databases on dark web portal

Recommended: Hackers are predicted to be selling more than 85 000 MySQL databases on dark web portal

The US security agency says that there are countermeasures that companies can put in place to at least detect when an intruder abuses these mechanisms and respond to breach faster.

These mitigations, grouped across several categories, are detailed in the NSA advisory, available for download as a PDF document.

The NSA also said that even if the advisory and mitigations are centered around Microsoft Azure, “many of the techniques can be generalized to other environments as well.”

nsa-saml-advisory

Be the first to comment

Leave a Reply

Your email address will not be published.


*