Fed Cybersecurity Advisory Alerts to Abuse of Authentication Mechanisms

December 21, 2020 - The Department of Homeland Security is again urging organizations to review insights around the ongoing cyberattacks based around the SolarWinds' hack. The latest alert provides NSA guidance on the abuse of authentication mechanisms, as the extent of the malware attack rapidly expands.

The attacks are based on an exploit of a SolarWinds Orion Platform software update versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020. The threat actors hijacked the updates and installed malware, meaning that any customer that applied the update, installed a Trojan.

As a result, a massive range of public and private sector organizations have been hacked. The extent of which is still unclear.

The ongoing global supply-chain tacks led by hackers with likely ties to Russia have already claimed multiple victims within the government sector, including DHS and the Departments of Treasury and Commerce's National Telecommunications and Information Administration (NTIA), along with the National Institutes of Health, technology firms, and even educational organizations.

A “kill switch” feature has been deployed to close off access to hackers, while Microsoft quarantined apps linked to the recent hacks. However, many organizations are continuing to use the vulnerable software.

The latest DHS update attempts to again urge remediation of the SolarWinds flaw, while providing indicators of compromise for protected data in the cloud to understand and detect the abuse of authentication mechanisms.

Most notably, the alert shows that hackers are not only abusing the SolarWinds vulnerability in these supply-chain attacks. According to the NSA, hackers are actively abusing trust on a host of environments to access protected data.

“An ‘on premises’ federated identity provider or single sign-on (SSO) system lets an organization use the authentication systems they already own (e.g. tokens, authentication apps, one-time passwords, etc.) to grant access to resources, including resources in ‘off premises’ cloud services,” according to the alert.

“When an actor can subvert authentication mechanisms, they can gain illicit access to a wide range of an organization’s assets,” it added. “In some cases, actors have stolen keys from the SSO system that allow them to sign assertions and impersonate any legitimate user who could be authenticated by the system.”

For one victim, an attacker exploited a zero-day flaw to compromise VMWare servers, which the NSA described as allowing the actor to gain access to enough privileges to create their own keys and identities, along with their own SSO system.

Further data shows that the compromised SolarWinds code could also give attackers initial access to an on-prem network, to then proliferate to accessing data in the cloud.

NSA stressed that the hacking techniques don’t necessarily constitute vulnerabilities in the design principles of these protocols. 

“The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access,” according to the alert.

“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks,” CISA explained. “Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”

Hackers are leveraging these flaws in several different attack methods, such as user impersonation, a complex network of IP addresses to obscure their activity, and privilege escalation and persistence, to name a few.

Those organizations that suspect they’ve been compromised in this way should be highly aware of operational security means, including incident response activity and previously practice remediation plans.

In recent days, federal agencies and security researchers stressed that these initial reports may not fully capture the extent of the ongoing attacks. But that organizations must remain vigilant to defend, detect, and respond to these events.