The U.S. National Security Agency (NSA) has released an advisory about two hacking tactics that threat groups are using presently to obtain access to cloud resources filled with protected records. These strategies take advantage of authentication mechanisms and let attackers to steal credentials and get persistent access to systems.
Threat actors who breached the SolarWinds Orion program are utilizing these tactics. The hackers responsible for the attacks are not yet identified, nevertheless some signs have appeared that indicate this attack was by a nation state Russian threat group, probably APT29 (Cozy Bear). Secretary of State Mike Pompeo stated in a radio interview that the activity was carried out by Russians, however President Trump downplayed the attack and mentioned there is a chance that China is liable.
The SolarWinds Orion platform supply chain attack was employed to generate malware out to users by means of the SolarWinds application update process, however that is one of a few techniques now being employed to compromise public and private segment establishments and government organizations.
NSA’s alert detailed that the preliminary access may be established by means of several ways, which include known and unknown vulnerabilities. A case in point was the the newest SolarWinds Orion code compromise. On-premises systems was compromised, bringing about the misuse of federated authentication and malicious cloud access.
When first access had been obtained, the strategies identified in the alert are utilized to acquire extra privileges via the forging of credentials to keep persistent access. The NSA has presented guidance on identifying and mitigating attacks, irrespective of how the preliminary access is acquired. The NSA notices that these strategies aren’t different and threat actors have used it since 2017 and continue to be successful.
The methods detailed in the advisory require using compromised authentication tokens and abuse of compromised system administration accounts in Microsoft Azure and many other cloud programs when a local network has been breached.
The first tactic entails breaching an on-premises federated identity provider or single sign-on (SSO) system. These techniques enable organizations to employ the authentication system they currently own to allow access to resources, such as cloud services. These systems make use of cryptographically signed automatic messages – declaration – which are provided by Security Assertion Markup Language (SAML) to exhibit that users were identified. Threat actors are abusing the authentication process to get questionable access to a lots of assets held by businesses.
The attackers either steal private keys or credentials from the SSO system that permit them to sign claims and double as a valid user and acquire enough privileges to make their own keys and identities, and even their own SSO system. The second way consists of compromising administrator accounts to allocate credentials to cloud software solutions, then the attackers necessitate the app’s credentials to obtain programmed access to cloud assets.
The NSA has alerted that threat actors keep on exploiting the recently shared command injection vulnerability in VMware solutions (CVE-2020-4006). In one scenario mentioned by the NSA, exploitation of this vulnerability granted first local network access to be acquired, as opposed to the SolarWinds technique. The methods explained in the notice were then utilized to get access to cloud assets. A patch was already released to repair the vulnerability impacting VMware products. The patch ought to be employed right away. SolarWinds Orion users must stick to the preceding published mitigations.
These attack methods to get access to cloud sources do not take advantage of vulnerabilities in cloud system, federated identity management, the SAML protocol, or on-premises and cloud identity solutions, rather they abuse trust in the identity federation.
However, since the protection of identity federation in any cloud environment is dependent on trust in the on-premises elements that carry out authentication, delegate privileges, and sign SAML tokens. In case any of these elements is compromised, the trust in the federated identity system could be abused for unsanctioned access.
To avoid the success of employing the new strategies to obtain access to cloud resources, the NSA advises carrying out the following:
- Secure SSO setup and service principle usage
- Solidify systems running on-premises identity and federation services
- Check records for suspicious tokens that don’t complement the firm’s baseline for SAML tokens.
- Examine tokens to locate issues
- Look at logs for suspicious utilization of service principles
- Search for unexpected trust relationships that were included in the Azure Active Directory