The US National Security Agency has published a security advisory on Thursday warning about two techniques hackers are using to escalate access from compromised local networks into cloud-based infrastructure.
The advisory comes on the heels of the massive SolarWinds supply chain hack[2] that has hit several US government agencies, security firm FireEye, and most recently, Microsoft[3].
While the NSA doesn't specifically mention the SolarWinds hack in its advisory, both techniques described in the document have also been spotted being abused by the SolarWinds hackers to escalate access to cloud resources after initially gaining access to local networks via the trojanized SolarWinds Orion app — as per advisories from FireEye[5], Microsoft[6], and CISA[7] (the US Cybersecurity and Infrastructure Security Agency).
As not to distort the NSA's message, we'll quote details about the two techniques directly from the agency's advisory:
"In the first [technique], the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. [...]
In a variation of the first TTP, if the malicious cyber actors are unable to obtain a non-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.
In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application's credentials for automated access to cloud resources (often email in