NSA headquarters
Image via Marco Verch (Flickr/CC 2.0)

The US National Security Agency has published a security advisory on Thursday warning about two techniques hackers are using to escalate access from compromised local networks into cloud-based infrastructure.

The advisory comes on the heels of the massive SolarWinds supply chain hack that has hit several US government agencies, security firm FireEye, and most recently, Microsoft.

Also: Best VPNs

While the NSA doesn’t specifically mention the SolarWinds hack in its advisory, both techniques described in the document have also been spotted being abused by the SolarWinds hackers to escalate access to cloud resources after initially gaining access to local networks via the trojanized SolarWinds Orion app — as per advisories from FireEyeMicrosoft, and CISA (the US Cybersecurity and Infrastructure Security Agency).

As not to distort the NSA’s message, we’ll quote details about the two techniques directly from the agency’s advisory:


“In the first [technique], the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. […]

In a variation of the first TTP, if the malicious cyber actors are unable to obtain a non-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious.”


The NSA notes that neither technique is new and that both have been used since at least 2017, by both nation-state groups but also by other types of threat actors.

Furthermore, the NSA adds that neither of the two techniques exploits vulnerabilities in federated authentication products, but they rather abuse legitimate functions after a local network or admin account compromise.

The US security agency says that there are countermeasures that companies can put in place to at least detect when an intruder abuses these mechanisms and respond to breach faster.

These mitigations, grouped across several categories, are detailed in the NSA advisory, available for download as a PDF document.

The NSA also said that even if the advisory and mitigations are centered around Microsoft Azure, “many of the techniques can be generalized to other environments as well.”

nsa-saml-advisory.jpg

Image: NSA