The National Security Agency is warning of attacks that target the local network and ultimately compromise organizations’ cloud resources.
As companies migrate to the cloud, improved security is one of the top selling points. While that is generally true, many security processes need to be reworked to account for cloud computing. This is especially true as many cloud systems and platforms are designed to interoperate with each other.
One security measure that has become popular is federated single sign-on (SSO). SSO is a way for an individual to use a single set of credentials to log into any number of authorized applications and services. Federated SSO advances that concept to allow a user to log into services across networks and platforms with the same trusted credentials.
Unfortunately, hackers appear to be using federated SSOs to escalate attacks from compromised local networks to cloud resources.
The NSA has documented two such type of attacks:
In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061, T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access®2 and VMware Identity Manager®3 that allowed them to perform this TTP and abuse federated SSO infrastructure. While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017.
In a variation of the first TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.
In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002).
The NSA’s document contains migration techniques and should be read immediately by all systems admins.