NSA warns of cloud attacks on authentication mechanisms

The US National Security Agency (NSA) warns of two techniques abused by threat actors for escalating attacks from local networks to cloud infrastructure.

The US National Security Agency has published a security advisory that describes two techniques abused in recent attacks against cloud infrastructure.

The attack techniques are abused by hackers are using to escalate access from compromised local networks into cloud-based infrastructure.

The two techniques reported in the NSA’s advisory are related to the possibility to forge Security Assertion Markup Language (SAML) tokens used single sign-on (SSO) authentication processes.

Both techniques could be exploited by attackers that already breached the target network.

The alert was released “in response to ongoing cybersecurity events,” a clear reference to the recent SolarWinds supply-chain attack that impacted government organizations and private businesses worldwide.

“In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061 , T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.” reads the advisory published by the NSA.

This SAML forgery attack technique has been exploited by threat actors at least since at least 2017.

“In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources).” continues the alert. “The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002)”

The alert ponts out that the TTPs do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services.

The alert recommends to use add-on cloud services and log correlation tools that use environmental values and sophisticated AI/ML algorithms to detect unusual patterns in user authentication and authorization that could be associated to an attack pattern.

The alert also provides mitigation actions that organizations could implement to detect these attacks.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

[adrotate banner=”5″]

[adrotate banner=”13″]