An advisory from the U.S. National Security Agency provides Microsoft Azure administrators guidance to detect and protect against threat actors looking to access resources in the cloud by forging authentication information.
The document considers an adversary that already breached the local network and has privileged access to the on-premise authentication mechanisms for the cloud infrastructure.
TTPs for pivoting to cloud resources
NSA released the guidance “in response to ongoing cybersecurity events,” referring to SolarWinds supply-chain attack that targeted private and government organizations in at least seven countries by Microsoft’s count.
Among the victims are multiple departments of the U.S. Government, including Treasury, Commerce, Energy, Homeland Security, the National Institutes of Health, and the National Nuclear Security Administration (NNSA).
The two tactics, techniques, and procedures (TTPs) discussed in NSA’s advisory have been in use since at least 2017 and refer to forging Security Assertion Markup Language (SAML) tokens for single sign-on (SSO) authentication to other service providers.
“In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources” – the U.S. National Security Agency [PDF]
A variation of the above is when the adversary can’t get an on-premise access key and try to obtain admin privileges on the victim network to add a malicious certificate that enables forging the SAML tokens.
In the second case, the threat actor uses a compromised global administrator account to assign credentials to identities for cloud apps that can be invoked to access other cloud resources.
The agency explains that the actor can then invoke the application’s credentials to access cloud resources, the email service being typically the goal.
These TTPs are not vulnerabilities in the design of federated identity management, the SAML protocol, or identity services available locally or in the cloud.
On-premise components responsible for authentication, assigning privileges, and signing SAML tokens are essential in the security of identity federation in any cloud environment. And compromising any of them can lead to breaking the trust in the authentication tokens.
“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML tokens could be forged, granting access to numerous resources” – the U.S. National Security Agency.
The agency provides a set of mitigation actions that administrators can use to defend against the above TTPs and to make it more difficult for threat actors to access on-premise identity and federation services.
The measures are aimed at the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators and focus on Microsoft Azure federation. But many of them can be adapted to other environments.
Hardening the systems running local identity and federation services and monitoring the use of SSO tokens are the main lines that administrators can follow to protect against and detect a compromise of identity services.
For Microsoft Azure environments, the NSA recommends reviewing the authentication and authorization configuration in Active Directory and setting it up to reject authorization requests using tokens with attributes that are not in tune with the organizational policy.
Removing unnecessary applications with credentials, enforcing multi-factor authentication, and disabling legacy authentication are good defenses for the environment.
Additional measures to secure the private keys should be considered, such as using a FIPS-validate Hardware Security Module (HSM).
Detecting indicators of compromise is a task shared by the cloud service provider and the tenant organization. The former can use their position to look for sophisticated attacks.
Organizations can search local and cloud logs for signs of suspicious tokens. The NSA recommends paying attention to the following:
- Tokens with an unusually long lifetime
- Tokens with unusual claims that do not match organizational policy
- Tokens that claim to have been authenticated using a method that is not used by the organization (e.g., MFA when the organization does not use MFA, or MFA by a provider that does not usually perform MFA)
- Tokens presented without corresponding log entries, such as tokens with MFA claims where there is no corresponding MFA system transaction, or tokens consumed at the resource with no corresponding federation server transaction.
- Tokens that include a claim that it is for inside the corporate network when it is not
- Tokens that are used to access cloud resources that do not have records of being created by the on-premises identity provider in its logs
Examine logs for the suspicious use of service principals:
- Audit the creation and use of service principal credentials
- In particular, look for unusual application usage, such as a dormant or forgotten application being used again
- Audit the assignment of credentials to applications that allows non-interactive sign-in by the application
