The National Security Agency (NSA) has released a cybersecurity advisory on detecting abuse of authentication mechanisms.
According to the advisory, malicious cyberactors are abusing trust in federated authentication environments to access protected data.
The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised leading to abuse of federated authentication and malicious cloud access.
“The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources,” it explains.
Hackers demonstrate two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email.
CISA encourages the National Security System, Department of Defense and Defense Industrial Base network administrators to review the NSA cybersecurity advisory and CISA Activity Alert AA20-352A and take the appropriate mitigation actions.
To defend against these TTPs, CISA wants cloud tenants to pay careful attention to locking down tenant SSO configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services.