An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

News | Dec. 17, 2020

NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources

In response to ongoing cybersecurity events, the National Security Agency (NSA) released a Cybersecurity Advisory Thursday “Detecting Abuse of Authentication Mechanisms.” This advisory provides guidance to National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to detect and mitigate against malicious cyber actors who are manipulating trust in federated authentication environments to access protected data in the cloud. It builds on the guidance shared in the cybersecurity advisory regarding VMware with state-sponsored actors exploiting CVE 2020-4006 and forging credentials to access protected files, though other nation states and cyber criminals may use this tactic, technique, and procedure (TTP) as well.

Detecting Abuse of Authentication Mechanisms Infographic
Detecting Abuse of Authentication Mechanisms Infographic
Detecting Abuse of Authentication Mechanisms Infographic
Detecting Abuse of Authentication Mechanisms Infographic
Detecting Abuse of Authentication Mechanisms Infographic
Photo By: NSA Cybersecurity
VIRIN: 201217-D-IM742-1001

This advisory specifically discusses detection and mitigation of two TTPs to forge authentications and gain access to a victim’s cloud resources. While these TTPs require the actors to already have privileged access in an on-premises environment, they are still dangerous as they can be combined with other vulnerabilities to gain initial access, then undermine trust, security, and authentication. Initial access can be established through a number of means, including known and unknown vulnerabilities. The recent SolarWinds Orion ® code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.

Mitigation actions include hardening and monitoring systems that run local identity and federation services, locking down tenant single sign-on (SSO) configuration in the cloud, and monitoring for indicators of compromise. NSA remains committed to providing timely, actionable and relevant guidance, and is partnering across the public and private sectors in ongoing incident response efforts. Releasing this advisory with further technical guidance allows NSA’s customers to apply preventative measures to the fullest extent along with the detection and mitigation actions.

For a quick summary on how you can take action, take a look at our infographic.

Read the full advisory here.
Read the abridged version here.