« え〜っ!!! 「東証、統治及ばず「引責」 システム障害で辞任、「必要なし」から一転 官邸の空気察し自ら決断」 | Main | Europolと欧州委員会が法執行機関のための復号プラットフォームを立ち上げたようですね。。。 »

2020.12.21

U.S. NSA 認証メカニズムを悪用してクラウド上のリソースに攻撃者がアクセスすることについての注意喚起

こんにちは、丸山満彦です。

今回のSolar Windsの件は影響が大きいようですね。。。

米国の国家安全保障局 (National Security Agency: NSA) [wikipedia] が攻撃者が認証メカニズムを悪用してクラウド上のリソースにアクセスしているケースがあることを注意喚起していますね。。。

National Security Agency: NSA

・2020.12.17 NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources

・[JPG] インフォグラフィック

・[PDF] 要約版

・[PDF] 全文

 


■ 参考

U.K. National Cyber Security Cnetre: NCSC

・2020.12.18 NCSC statement on the SolarWinds compromise

The latest statement from the NCSC following the reported SolarWinds compromise.

 

● GOVINFO Security

・2020.12.19 NSA Warns of Hacking Tactics That Target Cloud Resources by

Alert Follows Week's Worth of Revelations About SolarWinds Breach

 


Detecting Abuse of Authentication Mechanisms - Abridged

 

Summary

Malicious cyber actors are abusing trust in federated authentication environments to access protected data. An “on premises” federated identity provider or single sign-on (SSO) system lets an organization use the authentication systems they already own (e.g. tokens, authentication apps, one-time passwords, etc.) to grant access to resources, including resources in “off premises” cloud services. These systems often use cryptographically signed automated messages called “assertions” shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. When an actor can subvert authentication mechanisms, they can gain illicit access to a wide range of an organizations assets.

 In some cases, actors have stolen keys from the SSO system that allow them to sign assertions and impersonate any legitimate user who could be authenticated by the system. On 7 December, NSA reported on an example where a zero- day vulnerability was being used to compromise VMware Access®1 and VMware Identity Manager®2 servers, allowing actors to forge authentication assertions and thus gain access to the victim’s protected data. In other cases, actors have gained enough privileges to create their own keys and identities such as “service principals” (cloud applications that act on behalf of a user) or even their own fake SSO system. According to public reporting, in some cases, the SolarWinds Orion®3 code compromise provided actors initial access to an on-premises network which led to access within the cloud.

Note that these techniques alone do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services. The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access.

 To defend against these techniques, organizations should pay careful attention to locking down SSO configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services.

Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services. While these techniques apply to all cloud environments that support on-premises federated authentication, the following specific mitigations are focused on Microsoft Azure®4 federation. Many of the techniques can be generalized to other environments as well.

...

1. VMware Access is a registered trademark of VMware
2. VMware Identity Manager is a registered trademark of VMware
3 SolarWinds Orion ® is a registered trademark of SolarWinds Worldwide LCC.
4 Azure ® is a registered trademark of Microsoft Corporation. 

|

« え〜っ!!! 「東証、統治及ばず「引責」 システム障害で辞任、「必要なし」から一転 官邸の空気察し自ら決断」 | Main | Europolと欧州委員会が法執行機関のための復号プラットフォームを立ち上げたようですね。。。 »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« え〜っ!!! 「東証、統治及ばず「引責」 システム障害で辞任、「必要なし」から一転 官邸の空気察し自ら決断」 | Main | Europolと欧州委員会が法執行機関のための復号プラットフォームを立ち上げたようですね。。。 »