Detecting Abuse of Authentication Mechanisms – Abridged

Contact Your Elected Officials

Summary

Malicious cyber actors are abusing trust in federated authentication environments to access protected data. An โ€œon premisesโ€ federated identity provider or single sign-on (SSO) system lets an organization use the authentication systems they already own (e.g. tokens, authentication apps, one-time passwords, etc.) to grant access to resources, including resources in โ€œoff premisesโ€ cloud services. These systems often use cryptographically signed automated messages called โ€œassertionsโ€ shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. When an actor can subvert authentication mechanisms, they can gain illicit access to a wide range of an organizations assets.

In some cases, actors have stolen keys from the SSO system that allow them to sign assertions and impersonate any legitimate user who could be authenticated by the system. On 7 December, NSA reported on an example where a zeroday vulnerability was being used to compromise VMware Accessยฎ1 and VMware Identity Managerยฎ2 servers, allowing actors to forge authentication assertions and thus gain access to the victimโ€™s protected data. In other cases, actors have gained enough privileges to create their own keys and identities such as โ€œservice principalsโ€ (cloud applications that act on behalf of a user) or even their own fake SSO system. According to public reporting, in some cases, the SolarWinds Orionยฎ3 code compromise provided actors initial access to an on-premises network which led to access within the cloud.

Note that these techniques alone do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services. The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be
abused for unauthorized access.

To defend against these techniques, organizations should pay careful attention to locking down SSO configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services. Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services. While these techniques apply to all cloud environments that support on-premises federated authentication, the following specific mitigations are focused on Microsoft Azureยฎ4 federation. Many of the techniques can be generalized to other environments as well.

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of NSAโ€™s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense, and Defense Industrial Base information systems, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

Client Requirements / General Cybersecurity Inquiries: Cybersecurity Requirements Center, 410-854-4200, Cybersecurity_Requests@nsa.gov

Media inquiries / Press Desk: Media Relations, 443-634-0721, MediaRelations@nsa.gov

Detecting Abuse of Authentication Mechanisms – Abridged

AUTHENTICATION_MECHANISMS_CSA_EXEC_U_OO_198854_20

Detecting Abuse of Authentication Mechanisms

AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20

The Thinking Conservative
The Thinking Conservativehttps://www.thethinkingconservative.com/
The goal of THE THINKING CONSERVATIVE is to help us educate ourselves on conservative topics of importance to our freedom and our pursuit of happiness. We do this by sharing conservative opinions on all kinds of subjects, from all types of people, and all kinds of media, in a way that will challenge our perceptions and help us to make educated choices.

AI is Now an Existential Threat

We now see evidence that artificial intelligence is an existential threat to our future. It is coming to take American jobs!

With or without

The mullahs of Iran have been at war with the West, particularly the US, for half a century and Iran is also the worldโ€™s foremost champion of terrorism.

Artificial Intelligence Equals Awful Iniquities

WSJ article โ€œAI is Learning to Escape Human Controlโ€ said in 79 of 100 trials, the o3 AI code systems edited their own code to prevent human shutdown!

VIDEO: Deranged Feminist vs. Mating Ducks in Epic Public Meltdown

A middle-aged white lady lib harasses mating ducks to โ€œstop it!โ€ because the rough sex they enjoy appears non-consensual on the part of the female.

RFK Jr. Slashes ALL U.S. Funding For Bill Gatesโ€™ Global โ€˜Vaccine Allianceโ€™

Robert F. Kennedy, Jr. recently pulled all U.S. government funding from Bill Gatesโ€™ Global โ€˜Vaccine Allianceโ€™ GAVI.

Musk Again Wades Into Politics, Calls GOP Bill โ€˜Insane and Destructiveโ€™

โ€œThe latest Senate draft bill will destroy millions of jobs in America and cause immense strategic harm to our country!โ€ Musk wrote in a Saturday post on X.

Nevada Seen as Case Study in Rapid Urban Sprawl Amid a Water Crisis

Nevadaโ€™s rapidly growing population has reached a critical intersection with the regionโ€™s worsening water crisis, according to experts.

US Streamlines Rule for Fining Illegal Immigrants, Will Issue Nearly $1,000 Daily Fines for Noncompliance

DHS and DOJ announced a new joint federal rule that streamlines the process of issuing fines for illegal immigrants, making it easier and more efficient.

Man Indicted on 12 Hate Crime Charges in Attack on Boulder Demonstration for Israeli Hostages

Boulder, CO man accused of hurling Molotov cocktails at demonstrators supporting Israeli hostages indicted by grand jury on 12 hate crime counts.

Canada-US Trade Talks Will End Until โ€˜Certain Taxesโ€™ Are Dropped, Trump Stresses

Trade discussions between Canada and the United States will end โ€œuntil such time as they drop certain taxes,โ€ U.S. President Trump said in an interview.

Trump Says US to Send Tariff Letters to Trade Partners Before July 9 Deadline

President Donald Trump said Sunday he will soon send letters to trading partners detailing the tariffs to be imposed on their exports to the United States.

Trump Says He Found a Buyer for TikTok

President Trump said he found a buyer for the Chinese-owned short video application TikTok, and that he will reveal the group in roughly two weeks.

Termination of โ€˜Wasteful Contractsโ€™ Saves US Government $470 Million Last Week: DOGE

Over the past seven days, various government agencies have terminated 312 โ€œwasteful contractsโ€ with a ceiling value of $2.8 billion, the DOGE said.
spot_img

Related Articles