NSA Warns of Hacking Tactics That Target Cloud ResourcesAlert Follows Week's Worth of Revelations About SolarWinds Breach
The U.S. National Security Agency has issued a warning about two hacking techniques that could allow threat actors to access cloud resources by bypassing authentication mechanisms.
The warning comes after a week's worth of revelations over the SolarWinds breach that has affected government agencies as well as corporations, including Microsoft, FireEye, Intel and Nvida (see: SolarWinds Hack: Lawmakers Demand Answers).
Secretary of State Mike Pompeo, commenting on the breach, said in a Friday evening radio interview that “the Russians engaged in this activity."
“I can’t say much more as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified," Pompeo said, according to a transcript provided by the State Department. “But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well. This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity."
In a pair of tweets on Saturday, President Donald Trump appeared to question whether Russia was involved in the hacking operation and opened up the possibility that China may have played a role (see: President Trump Downplays Impact of SolarWinds Breach).
"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."
The NSA advisory does not specify whether the nation-state hackers behind the SolarWinds breach used these same tactics, techniques and procedures to compromise various networks and gain additional privileges, but the advisory notes threat actors could use these methods to steal credentials and maintain persistent access.
"Initial access can be established through a number of means, including known and unknown vulnerabilities," according to the NSA alert. "The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access."
The NSA adds these particular tactics and methods described in the alert are not new and have been used by threat actors since 2017.
If malicious cyber actors gain initial access to networks through the #SolarWinds compromise, the TTPs noted in our advisory may be used to forge credentials and maintain persistent access. Our guidance helps detect and mitigate against this, no matter the initial access method. https://t.co/cEjg5pcyS3— NSA Cyber (@NSACyber) December 18, 2020
The two techniques described by NSA involve hacking of cloud resources using either compromised authentication tokens or through compromised system administration accounts in the Microsoft Azure platform. The agency adds, however, that these techniques can be replicated in other cloud platforms as well.
The NSA notes that its latest alert builds on a previous warning about techniques that Russian-linked hackers were using to exploit a vulnerability in several VMware products. The company has since issued a fix for this bug, and users are encouraged to apply it as soon as possible (see: NSA: Russian Hackers Exploiting VMware Vulnerability).
This alert describes two scenarios where the attackers have already compromised the local network and have gained access to the authentication mechanisms that are used to access cloud resources.
In the first scenario, the threat actors begin by compromising on-premises components of federated single sign-on authentication systems that use a single identification and password to log into several systems, the advisory notes.
The attackers then steal credentials or private keys that are used to sign Security Assertion Markup Language, or SAML, tokens used for authentication and authorization between cloud service providers and its tenants or users, the NSA notes.
"Using the private keys, the actors then forge trusted authentication tokens to access cloud resources," according to the NSA alert. "If the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens."
In the second scenario, the threat actors use compromised administrator accounts to assign credentials to cloud application services. The actors then call for the applications' credentials to gain automated access to cloud resources, the advisory adds.
The NSA adds that attacks against the cloud infrastructure do not use vulnerabilities in the cloud components, but instead manipulate the "trust" needed for performing authentication, assigned privileges and the SAML tokens.
"If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access," the advisory notes.
Brendan O'Connor, CEO and co-founder of security firm AppOmni, notes the tactics described by NSA particularly make third-party apps that connect to cloud services more susceptible to attacks, especially with more organizations now working remotely due to the COVID-19 pandemic.
"It's not that our premise tools have failed, but the data has moved to where they can't see it," O'Connor tells Information Security Media Group. "Getting visibility into what third-party applications are already connected to your cloud applications should be one of the top priorities for security teams."
Because the attacks mainly take advantage of Security Assertion Markup Language in cloud platforms, the NSA recommends several steps that cloud service providers and users can adopt to prevent breaches using the scenarios described in the alert. These mitigation methods include:
- Checking for tokens that are making unusual authentication requests that do not match the organization's security policies;
- Checking for tokens that claim to have been authenticated using a method that is not currently deployed by the organization such as multifactor authentication when that is not normally required;
- Ensuring that tokens presented without corresponding log entries, such as tokens that contain multifactor authentication claims where there is no corresponding system transaction;
- Checking tokens that are used to access cloud resources that do not have a record of being created by the on-premises identity provider within the organization's internal logs.
The NSA also recommends auditing of the tokens to identify any disparities in their activities. This can be done by either auditing the creation and use of service principal credentials or by auditing the assignment of credentials to applications that allow for non-interactive sign-in by the application.
While the mitigation strategies described by the NSA are meant to provide guidance for the National Security System, Department of Defense, and Defense Industrial Base network administrators, these methods can be applied to any network.
Managing Editor Scott Ferguson contributed to this report.