The US National Security Agency (NSA) published a security advisory, warning about two techniques abused by threat actors for escalating attacks from local networks to cloud infrastructure.
The exploitation occurs after the actors have gained access to a victim’s on-premises network.
The actors leverage privileged access within the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.
Two sets of Tactics, Techniques and Procedure (TTP) used by attackers
The actors exhibit two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email.
“In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens used single sign-on (SSO) authentication processes.
Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.” reads the advisory published by the NSA.
If the malicious cyber actors are unable to acquire an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.
“In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals. The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002)”, alerts the NSA.
The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of the components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access.
To secure against these TTPs, cloud tenants must lock down tenant SSO configuration and service principal usage, as well as harden the systems that run on-premises identity and federation services.
By observing the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services.
Inspect logs for suspicious tokens that do not match the baseline for SAML tokens that are typical for the tenant, and audit SAML token use to detect anomalies, for instance:
- Tokens with an unusually long lifetime
- Tokens with unusual claims that do not match organizational policy
- Tokens that claim to have been authenticated using a method that is not used by the organization
- Tokens presented without corresponding log entries
- Tokens that include a claim that it is for inside the corporate network when it is not
- Tokens that are used to access cloud resources that do not have records of being created by the on-premises identity provider in its logs.
Check logs for the suspicious use of service principals:
- Audit the creation and use of service principal credentials
- In particular, look for unusual application usage, such as a dormant or forgotten application being used again;
- Audit the assignment of credentials to applications that allows non-interactive sign-in by the application.