NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources

The U.S. National Security Agency (NSA) has issued an alert that warns about two hacking techniques that are currently being used by threat groups to gain access to cloud resources containing protected data. These techniques abuse authentication mechanisms and allow attackers to steal credentials and maintain persistent access to networks.

These techniques have been used by the threat actors who compromised SolarWinds Orion platform. The hackers behind the attacks have yet to be identified, but some evidence has emerged that suggest this is a nation state attack by a Russian threat group, possibly APT29 (Cozy Bear). Secretary of State Mike Pompeo said in a radio interview on Friday that “now we can say pretty clearly that it was the Russians that engaged in this activity,” although on Saturday President Trump downplayed the attack and suggested there is a possibility China is responsible, although President Trump is largely alone in having that viewpoint.

The SolarWinds Orion platform supply chain attack was used to push malware out to customers through the SolarWinds software update mechanism, but that is one of several methods currently being used to compromise public and private sector organizations and government agencies.

“Initial access can be established through a number of means, including known and unknown vulnerabilities,” explained the NSA in its alert. “The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.”

Once initial access had been gained, through the SolarWinds compromise for example, the techniques described in the alert are used to gain additional privileges through the forging of credentials to maintain persistent access. The NSA has provided guidance on how to detect attacks and mitigate against them, regardless of how the initial access is gained. The NSA notes that these tactics are not new and have been used by threat actors since at least 2017 and continue to be effective.

The techniques described in the alert involve the use of compromised authentication tokens and abuse of compromised system administration accounts in Microsoft Azure and other cloud platforms once a local network has been compromised.

The first technique involves compromising an on-premises federated identity provider or single sign-on (SSO) system. These systems allow organizations to use the authentication system they already own to grant access to resources, including cloud services. These systems use cryptographically signed automated messages – assertions – which are shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. Threat actors are abusing the authentication mechanism to gain illicit access to a wide range of assets owned by organizations.

The attackers either steal credentials or private keys from the SSO system that allow them to sign assertions and impersonate a legitimate user and gain sufficient privileges to create their own keys and identities, as well as their own SSO system. The second approach involves compromising admin accounts to assign credentials to cloud application services, after which the attackers call for the application’s credentials to gain automated access to cloud resources.

The NSA has warned that threat actors are continuing to exploit the recently disclosed command injection vulnerability in VMware products (CVE-2020-4006). In one case cited by the NSA exploitation of this vulnerability allowed initial local network access to be gained, rather than the SolarWinds method. The techniques described in the alert were then used to gain access to cloud resources. A patch has been released to correct the flaw affecting VMware products. The patch should be applied as soon as possible. Users of SolarWinds Orion should follow the previously published mitigations.

These attack methods to gain access to cloud resources do not exploit vulnerabilities in cloud infrastructure, federated identity management, the SAML protocol, or on-premises and cloud identity services, instead they abuse trust in the federated identity system.

“The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access,” said the NSA.

To prevent the new techniques from being successfully used to gain access to cloud resources, the NSA recommends the following:

  • Lock down SSO configuration and service principle usage
  • Harden systems running on-premises identity and federation services
  • Monitor logs for suspicious tokens that do not match the organization’s baseline for SAML tokens.
  • Audit tokens to detect anomalies
  • Examine logs for suspicious use of service principles
  • Look for unexpected trust relationships that have been added to Azure Active Directory

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.