Detecting Abuse of Authentication Mechanisms – Abridged

Summary

Malicious cyber actors are abusing trust in federated authentication environments to access protected data. An “on premises” federated identity provider or single sign-on (SSO) system lets an organization use the authentication systems they already own (e.g. tokens, authentication apps, one-time passwords, etc.) to grant access to resources, including resources in “off premises” cloud services. These systems often use cryptographically signed automated messages called “assertions” shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. When an actor can subvert authentication mechanisms, they can gain illicit access to a wide range of an organizations assets.

In some cases, actors have stolen keys from the SSO system that allow them to sign assertions and impersonate any legitimate user who could be authenticated by the system. On 7 December, NSA reported on an example where a zeroday vulnerability was being used to compromise VMware Access®1 and VMware Identity Manager®2 servers, allowing actors to forge authentication assertions and thus gain access to the victim’s protected data. In other cases, actors have gained enough privileges to create their own keys and identities such as “service principals” (cloud applications that act on behalf of a user) or even their own fake SSO system. According to public reporting, in some cases, the SolarWinds Orion®3 code compromise provided actors initial access to an on-premises network which led to access within the cloud.

Note that these techniques alone do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services. The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be
abused for unauthorized access.

To defend against these techniques, organizations should pay careful attention to locking down SSO configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services. Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services. While these techniques apply to all cloud environments that support on-premises federated authentication, the following specific mitigations are focused on Microsoft Azure®4 federation. Many of the techniques can be generalized to other environments as well.

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense, and Defense Industrial Base information systems, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

Client Requirements / General Cybersecurity Inquiries: Cybersecurity Requirements Center, 410-854-4200, Cybersecurity_Requests@nsa.gov

Media inquiries / Press Desk: Media Relations, 443-634-0721, MediaRelations@nsa.gov

Detecting Abuse of Authentication Mechanisms – Abridged

AUTHENTICATION_MECHANISMS_CSA_EXEC_U_OO_198854_20

Detecting Abuse of Authentication Mechanisms

AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20

The Thinking Conservative
The Thinking Conservativehttps://www.thethinkingconservative.com/
The goal of THE THINKING CONSERVATIVE is to help us educate ourselves on conservative topics of importance to our freedom and our pursuit of happiness. We do this by sharing conservative opinions on all kinds of subjects, from all types of people, and all kinds of media, in a way that will challenge our perceptions and help us to make educated choices.

Columns

Justice Delayed is Justice Denied, Prosecute Jeffrey Goldberg!

Jeffrey Goldberg reported on his mistaken inclusion in a signal chat as a hit piece on Trump. Should he be prosecuted under the Espionage Act?

Zelensky Has No Feasible Alternative To Accepting Trump’s Lopsided Resource Deal

Trump warned Zelensky he will have “some problems – big, big problems” if he “tries to back out of the rare earth deal” amidst reports agreement is lopsided.

DOGE and Musk Recover Deleted Computer Files

Elon Musk and his “Geek Squad” discovered an entire terabyte of data was deleted from government servers from the office of the “Institute of Peace”.

A Simple Question

What is a woman? Anyone with an IQ above room temperature can answer the question. Everyone, that is, except Democrats.

Democrats Tesla Takedown is a Proven Astro Turf Movement

Elon Musk and other journalistic leaders like Joe Rogan have been asking the critical question, “Who is behind the organization of these Tesla protests?”

News

US Layoffs Top 275,000 in March, Driven by Government Job Cuts: Report

Layoffs announced by U.S.-based employers soared in March to highest level since COVID-19 pandemic, with govt job cuts accounting for most headcount reduction.

Dow Jones Drops 1,500 Points a Day After Trump Tariff Announcement

U.S. stock indexes dropped after Trump's sweeping tariffs of 10 percent or higher, with Dow Jones plunging by 1,500 points at one point in early trading.

7 Takeaways From Trump’s Reciprocal Tariff Roll Out

Trump announced sweeping trade policy changes, introducing what he called “reciprocal tariffs” for all countries and declaring it “Liberation Day in America.”

ACLU Sues Trump Admin Over Canceled Grants Tied to DEI, Gender Identity Research

ACLU, public health orgs, unions, and researchers, filed federal lawsuit accusing NIH of unlawfully canceling research grants due to political and ideological pressure.

US Immigration Services Drops 3rd Gender Option

US immigration services agency officially updated policy to recognize only two biological sexes—male and female—for all immigration-related doc and benefit requests.

Transgender Covenant School Killer Planned Attack for Years, Final Police Report Says

Transgender shooter in mass killing at Christian school in Nashville, TN was an alumnus motivated by a quest for notoriety, final police report concludes.

Supreme Court Reviews South Carolina’s Medicaid Funding Block on Planned Parenthood

U.S. Supreme Court weighed whether South Carolina can stop abortion provider Planned Parenthood from taking part in state’s Medicaid program.

Africa at Crossroads After $13 Billion US Aid Cut, Say Analysts

African countries reacted with shock when the U.S. government recently cut $13 billion in financial assistance.
spot_img

Related Articles

Popular Categories

MAGA Business Central