Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12/21/2020
04:10 PM
50%
50%

NSA, CISA Warn of Attacks on Federated Authentication

While incident responders focus on attacks using SolarWinds Orion, government cyber defenders highlight other methods likely being used as well.

An attacker-modified update to the SolarWinds Orion network management product that compromised thousands of companies and government agencies is likely not the only way Russian attackers infiltrated networks, according to the US Cybersecurity and Infrastructure Security Agency (CISA) in an update over the weekend.

In an updated alert about the recent cyber-espionage attacks against government agencies and private-sector companies, CISA noted on Dec. 18 that the attackers appear to have used other vectors of attacks outside of the SolarWinds Orion platform. On Dec. 21, the agency pointed to an advisory published the previous week by the National Security Agency, which warned that attackers were stealing private keys for single sign-on (SSO) infrastructure to bypass two-factor authentication.

Related Content:

Microsoft Confirms Its Network Was Breached With Tainted SolarWinds Updates

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 7 Infamous Moments in Adobe Flash's Security History

The NSA pointed to a Dec. 7 warning that Russian state-sponsored actors had exploited a vulnerability in VMware Access and VMware Identify Manager products to gain access to protected data. CISA did not name VMware but cited the issue in similar language.

"Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," the agency stated in its updated advisory.

The additional information released over the weekend continues to broaden the scope and impact of what cybersecurity experts consider to be the most significant cyberattack in recent years. 

Last week, SolarWinds acknowledged that attackers had infiltrated its development process and inserted malicious code into the latest updates for Orion. Around 18,000 of the company's 33,000 customers updated their software between March 2020 and June 2020, inadvertently installing a backdoor for attackers. 

In the latest update, CISA pointed to an advisory published by the National Security Agency on Thursday about detecting abuse of authentication mechanisms, which cited CVE-2020-4006, a vulnerability in VMware's Access and Identity Manager products. 

The company, however, denies there is any evidence that its software has been used to establish a beachhead by attackers on vulnerable networks, noting it had patched the vulnerability on Dec. 3.

"[A]t this time, we have no indications that VMware has any involvement in the nation-state attack on SolarWinds," a company spokesperson said in a statement sent to Dark Reading. "We want to clarify that all unpatched vulnerabilities that provide initial access can be used to achieve and maintain a persistent presence in networks."

Yet the Dec. 7 NSA advisory specifically states "Russian State-Sponsored Actors Exploiting Vulnerability in VMware Workspace ONE Access Using Compromised Credentials," and the original vulnerability advisory from VMware, originally dated Nov. 24, acknowledges the NSA as the source of the disclosure. 

The NSA warned that companies that fail to lock down their federated authentication environments from credential-based attacks run the risk of having those environments compromised. 

"The exploitation occurs after the actors have gained initial access to a victim's on-premises network," the NSA advisory stated. "The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources."

Cybersecurity firm Volexity provided details from incidents all attributed to the SolarWinds actor -- which is called Dark Halo but which the government has identified as Russian Intelligence -- that abused the integration key from an Microsoft Outlook Web App for the federated identity server for Cisco's Duo Security. 

The precomputing session key "allowed (an) attacker with knowledge of a user account and password to ... completely bypass the MFA [multi-factor authentication] set on the account," Volexity's analysis stated. "It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach."

The National Security Agency also stressed that the methods of attack did not mean federated identity systems have any inherent weakness or that the Security Assertion Markup Language had insecurities.

"The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens," the NSA stated it its advisory. "If any of these components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...