Thursday, February 6, 2025
HomeCloudNSA Warns of Cloud Attacks on Authentication Mechanisms

NSA Warns of Cloud Attacks on Authentication Mechanisms

Published on

SIEM as a Service

Follow Us on Google News

The US National Security Agency (NSA) published a security advisory, warning about two techniques abused by threat actors for escalating attacks from local networks to cloud infrastructure.

The exploitation occurs after the actors have gained access to a victim’s on-premises network.

The actors leverage privileged access within the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.

Two sets of Tactics, Techniques and Procedure (TTP) used by attackers

The actors exhibit two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email.

“In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens used single sign-on (SSO) authentication processes.

Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.” reads the advisory published by the NSA.

If the malicious cyber actors are unable to acquire an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

“In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals. The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002)”, alerts the NSA.

The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of the components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access.

Mitigation Actions

To secure against these TTPs, cloud tenants must lock down tenant SSO configuration and service principal usage, as well as harden the systems that run on-premises identity and federation services.

By observing the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services.

Detection

Inspect logs for suspicious tokens that do not match the baseline for SAML tokens that are typical for the tenant, and audit SAML token use to detect anomalies, for instance: 

  • Tokens with an unusually long lifetime
  • Tokens with unusual claims that do not match organizational policy
  • Tokens that claim to have been authenticated using a method that is not used by the organization
  • Tokens presented without corresponding log entries
  •  Tokens that include a claim that it is for inside the corporate network when it is not
  • Tokens that are used to access cloud resources that do not have records of being created by the on-premises identity provider in its logs.

Check logs for the suspicious use of service principals: 

  • Audit the creation and use of service principal credentials
  • In particular, look for unusual application usage, such as a dormant or forgotten application being used again;
  • Audit the assignment of credentials to applications that allows non-interactive sign-in by the application.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Beware of Nova Stealer Malware Sold for $50 on Hacking Forums

The cybersecurity landscape faces a new challenge with the emergence of Nova Stealer, a...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...