Thursday, March 28, 2024

NSA Warns of Cloud Attacks on Authentication Mechanisms

The US National Security Agency (NSA) published a security advisory, warning about two techniques abused by threat actors for escalating attacks from local networks to cloud infrastructure.

The exploitation occurs after the actors have gained access to a victim’s on-premises network.

The actors leverage privileged access within the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.

Two sets of Tactics, Techniques and Procedure (TTP) used by attackers

The actors exhibit two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email.

“In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens used single sign-on (SSO) authentication processes.

Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.” reads the advisory published by the NSA.

If the malicious cyber actors are unable to acquire an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

“In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals. The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002)”, alerts the NSA.

The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of the components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access.

Mitigation Actions

To secure against these TTPs, cloud tenants must lock down tenant SSO configuration and service principal usage, as well as harden the systems that run on-premises identity and federation services.

By observing the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services.

Detection

Inspect logs for suspicious tokens that do not match the baseline for SAML tokens that are typical for the tenant, and audit SAML token use to detect anomalies, for instance: 

  • Tokens with an unusually long lifetime
  • Tokens with unusual claims that do not match organizational policy
  • Tokens that claim to have been authenticated using a method that is not used by the organization
  • Tokens presented without corresponding log entries
  •  Tokens that include a claim that it is for inside the corporate network when it is not
  • Tokens that are used to access cloud resources that do not have records of being created by the on-premises identity provider in its logs.

Check logs for the suspicious use of service principals: 

  • Audit the creation and use of service principal credentials
  • In particular, look for unusual application usage, such as a dormant or forgotten application being used again;
  • Audit the assignment of credentials to applications that allows non-interactive sign-in by the application.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles