NSA warns of login abuse for local-to-cloud attacks


The US National Security Agency has published a security advisory on Thursday warning about two techniques hackers are using to escalate access from compromised local networks into cloud-based infrastructure.

The advisory comes on the heels of the huge SolarWinds supply chain hack that has hit several United States government agencies, security firm FireEye, and last , Microsoft.

While the NSA doesn’t specifically mention the SolarWinds hack in its advisory, both techniques described within the document have also been spotted being abused by the SolarWinds hackers to escalate access to cloud resources after initially gaining access to local networks via the trojanized SolarWinds Orion app — as per advisories from FireEye, Microsoft, and CISA (the US Cybersecurity and Infrastructure Security Agency).

As to not distort the NSA’s message, we’ll quote details about the 2 techniques directly from the agency’s advisory:

“In the primary [technique], the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that’s want to sign Security Assertion terminology (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.

In a variation of the primary TTP, if the malicious cyber actors are unable to get a non-premises signing key, they might plan to gain sufficient administrative privileges within the cloud tenant to feature a malicious certificate trust relationship for forging SAML tokens.

In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). 

The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that might rather be difficult for the actors to access or would more easily be noticed as suspicious.”

The NSA notes that neither technique is new which both are used since a minimum of 2017, by both nation-state groups but also by other sorts of threat actors.

Furthermore, the NSA adds that neither of the 2 techniques exploits vulnerabilities in federated authentication products, but they rather abuse legitimate functions after an area network or admin account compromise.

The US security agency says that there are countermeasures that companies can put in situ to a minimum of detect when an intruder abuses these mechanisms and answer breach faster.

These mitigations, grouped across several categories, are detailed within the NSA advisory, available for download as a PDF document.

The NSA also said that albeit the advisory and mitigations are centered around Microsoft Azure, “many of the techniques are often generalized to other environments also .”


Please enter your comment!
Please enter your name here