Originally reported by ZDNet, the NSA has released a security advisory detailing to attack techniques used by the SolarWinds hackers to escalate access to cloud resources. The techniques, which have been detailed by the NSA in their advisory, take advantage of security mechanisms like the use of SAML (Security Assertion Markup Language) tokens in order to forge trusted authentication tokens to access cloud resources. While the techniques are focused around Microsoft Azure, the NSA mentioned they could be applied to other environments as well.
Analyst Notes
Binary Defense recommends that administrators take some of the steps suggested by the NSA for securing/hardening tenant SSO configurations, such as ensuring that token claims are consistent with organizational policy. Additionally Binary Defense recommends deploying a 24/7 SOC monitoring solution, such as Binary Defense’s own Security Operations Task Force. Additionally, the full NSA advisory can be found here: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF
https://www.zdnet.com/article/nsa-warns-of-federated-login-abuse-for-local-to-cloud-attacks/
