Friday, October 4, 2024
HomeCloudNSA Warns of Cloud Attacks on Authentication Mechanisms

NSA Warns of Cloud Attacks on Authentication Mechanisms

Published on

The US National Security Agency (NSA) published a security advisory, warning about two techniques abused by threat actors for escalating attacks from local networks to cloud infrastructure.

The exploitation occurs after the actors have gained access to a victim’s on-premises network.

The actors leverage privileged access within the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.

- Advertisement - EHA

Two sets of Tactics, Techniques and Procedure (TTP) used by attackers

The actors exhibit two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email.

“In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens used single sign-on (SSO) authentication processes.

Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.” reads the advisory published by the NSA.

If the malicious cyber actors are unable to acquire an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

“In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals. The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002)”, alerts the NSA.

The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of the components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access.

Mitigation Actions

To secure against these TTPs, cloud tenants must lock down tenant SSO configuration and service principal usage, as well as harden the systems that run on-premises identity and federation services.

By observing the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services.

Detection

Inspect logs for suspicious tokens that do not match the baseline for SAML tokens that are typical for the tenant, and audit SAML token use to detect anomalies, for instance: 

  • Tokens with an unusually long lifetime
  • Tokens with unusual claims that do not match organizational policy
  • Tokens that claim to have been authenticated using a method that is not used by the organization
  • Tokens presented without corresponding log entries
  •  Tokens that include a claim that it is for inside the corporate network when it is not
  • Tokens that are used to access cloud resources that do not have records of being created by the on-premises identity provider in its logs.

Check logs for the suspicious use of service principals: 

  • Audit the creation and use of service principal credentials
  • In particular, look for unusual application usage, such as a dormant or forgotten application being used again;
  • Audit the assignment of credentials to applications that allows non-interactive sign-in by the application.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...