Trust-Based Federated Login Abused for Local-to-Cloud Attacks

In the light of SolarWinds supply chain attack, the National Security Agency described two techniques cybercriminals are using to escalate access from hacked local networks to cloud-based infrastructure.

A serious threat

The NSA advisory noted that both techniques are not new and have been in use since at least 2017. These techniques are being used by nation-state groups and other threat actors.
  • In the first technique, the attackers compromise on-premises elements of a federated SSO infrastructure. They steal the private keys or credentials used to sign Security Assertion Markup Language (SAML) tokens. These private keys can be used to create fake authentication tokens to access the targeted cloud resources.
  • If the attackers failed to obtain a non-premises signing key, they would try the second technique, by attempting to gain administrative privileges within the cloud tenant for adding malicious certificate trust relationships for forged SAML tokens.


Additional insights

  • These two techniques are not based on the exploitation of any vulnerabilities in the federated authentication products, the SAML protocol, or the associated identity services but on the trust of the on-premises components that perform authentication, assign privileges, and sign SAML tokens.
  • The attacks reportedly abused the legitimate functions after compromising a local network or admin account.

Recent trust-based exploitations

Besides being used in the recent SolarWinds attacks, various trust-based threats have been observed in the recent past.
  • Recently, three critical vulnerabilities were discovered in the Go language's XML parser, which could lead to a complete bypass of SAML authentication.
  • Recently, SecureAuth uncovered a vulnerability affecting SAP’s HANA use of the SAML standard.
  • Last month, a proof-of-concept was created for manipulating the Azure authentication function to obtain the skeleton key.

Conclusion

According to the NSA advisory, there are several countermeasures such as locking down tenant SSO configuration and hardening the systems running on-premises identity and federation services. In addition, experts recommend removing unwanted applications, applying multi-factor authentication, and disabling legacy authentication.