The American National Security Agency (NSA) has issued a warning which contains information about two new threat vectors being used by cyber criminals. The target of such attacks are local networks in general and cloud infrastructures in particular.
First of the two attack vectors is the possibility to forge or manipulate Security Assertion Markup Language (SAML) tokens. These SAML tokens are typically used in Single Sign-on (SSO) authentication processes.
As the number of devices being used by people to access data and other resources has risen astronomically during the pandemic. This has resulted in the use of SSO protocols at a very massive scale and thus, increasing the threat surface.
It all begins with compromising the on premise components of a controlled single sign-on (SSO) infrastructure. The private keys that are used to sign SAML tokens are then stolen by the miscreants, as the entire SSO mechanism is compromised.
Using these stolen private keys, the infiltrators will forge trusted authentication tokens to access cloud resources. Although this technique was being used by cyber criminals since 2017, its use has risen sharply during the current remote work scenario.
In the second attack vector, the perpetrators will generally use a compromised global admin account. This in turn is used to assign credentials to cloud application service principals, which manage access to cloud resources by various applications.
These falsely assigned credentials are then exploited to infiltrate cloud infrastructures, as these compromised apps can invoke access to other cloud resources. This attack vector may give them access to the cloud infrastructure, without even raising a red flag.
However, the NSA alert has pointed out that there is no fundamental vulnerability in the design of identity management, the SAML protocol or cloud identity services. As a mitigating measure, NSA recommends the use of all-encompassing cloud security.
It further recommends the use of log correlation tools. These not only rely on pure environmental factors, but also use complex AI and ML algorithms. These can detect any unusual patterns either in user authentication or authorization protocols.
This news comes as little surprise once we analyze the phenomenal increase in the adoption of cloud solutions to support remote work. We all need to remain extra vigilant, regardless of whether we are a user or cyber security analyst.