NSA Advisory of Authentication Mechanism Abuse to Obtain Access to Cloud Resources

The U.S. National Security Agency (NSA) has published a notification regarding two hacking strategies that threat groups are utilizing presently to obtain access to cloud resources that contain protected information. These tactics exploit authentication systems and permit attackers to exfiltrate credentials and retain persistent access to networks.

Threat actors who breached the SolarWinds Orion system are using these strategies. The hackers associated with the attacks aren’t yet known, however, some information has surfaced that indicates this attack was by a nation-state Russian threat group, perhaps APT29 (Cozy Bear). State Secretary Mike Pompeo stated in a radio interview that the activity was done by Russians, though President Trump undervalued the attack and mentioned there is a probability that China is liable.

The SolarWinds Orion system supply chain attack was employed to send malware out to clients via the SolarWinds software program update process, still, that is one of a number of strategies now being employed to compromise public and private industry companies and government institutions.

NSA’s alert detailed that the preliminary access may be established by means of various ways, which consist of identified and unidentified vulnerabilities. An example of this was the latest SolarWinds Orion code breach. On-premises systems were compromised, leading to the abuse of federated authentication and malicious cloud access.

As soon as first access had been acquired, the strategies explained in the advisory are utilized to develop more privileges via the forging of credentials to retain persistent access. The NSA has offered guidance on recognizing and mitigating attacks, no matter how the preliminary access is gotten. The NSA says that these techniques aren’t different and threat actors have used them starting 2017 and continue to be effective.

The methods explained in the alert entail utilizing compromised authentication tokens and misuse of compromised system administration accounts in Microsoft Azure and some other cloud systems as soon as a local network has been breached.

The first method entails breaching an on-premises federated identity provider or single sign-on (SSO) system. These methods permit organizations to utilize the authentication system they actually own to give access to resources, which include cloud services. These systems utilize cryptographically signed automatic messages – statements – which are given through Security Assertion Markup Language (SAML) to indicate that users were validated. Threat actors are abusing the authentication system to get dubious access to a broad variety of assets held by companies.

The attackers either steal credentials or private keys from the SSO system that make it possible for them to sign statements and imitate a legit user and obtain adequate privileges to generate their own keys and identities, in addition to their own SSO system. The second method consists of compromising administrator accounts to designate credentials to cloud program solutions, after that the attackers require the application’s credentials to obtain programmed access to cloud information.

The NSA has cautioned that threat actors continue to exploit the recently shared command injection vulnerability in VMware items (CVE-2020-4006). In one instance reported by the NSA, exploiting this vulnerability permitted first local network access to be obtained, instead of the SolarWinds tactic. The methods explained in the advisory were then utilized to acquire access to cloud assets. A patch was already issued to fix the vulnerability impacting VMware items. The patch ought to be employed immediately. SolarWinds Orion users must adhere to the earlier published mitigations.

These attack methods to get access to cloud sources don’t take advantage of vulnerabilities in cloud facilities, the SAML protocol, federated identity management, or on-premises and cloud identity systems, instead, they abuse confidence in the federated identity system.

However, since the safety of identity federation in any cloud environment directly relies on trust in the on-premises elements that execute authentication, designate privileges, and sign SAML tokens. When any of these elements is compromised, the trust in the federated identity system could be abused for unapproved access.

To avert the success of utilizing the new strategies to get access to cloud resources, the NSA suggests carrying out the following:

  • Protect SSO settings and service principle usage
  • Strengthen systems using on-premises identity and federation services
  • Keep track of logs for suspicious tokens that do not fit the company’s baseline for SAML tokens.
  • Review tokens to identify flaws
  • Analyze records for suspicious usage of service principles
  • Seek out unexpected trust relationships that were put into the Azure Active Directory