Security News > 2020 > December > NSA on Authentication Hacks (Related to SolarWinds Breach)
The NSA has published an advisory outlining how "Malicious cyber actors" are "Are manipulating trust in federated authentication environments to access protected data in the cloud." This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SVR is using once it has gained access to target networks.
The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.
004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources.
A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access and VMware Identity Manager that allowed them to perform this TTP and abuse federated SSO infrastructure.
The actors then invoke the application's credentials for automated access to cloud resources that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious.