Security News > 2020 > December > NSA warns of hackers forging cloud authentication information
An advisory from the U.S. National Security Agency provides Microsoft Azure administrators guidance to detect and protect against threat actors looking to access resources in the cloud by forging authentication information.
The two tactics, techniques, and procedures discussed in NSA's advisory have been in use since at least 2017 and refer to forging Security Assertion Markup Language tokens for single sign-on authentication to other service providers.
"In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources" - the U.S. National Security Agency [PDF].
On-premise components responsible for authentication, assigning privileges, and signing SAML tokens are essential in the security of identity federation in any cloud environment.
For Microsoft Azure environments, the NSA recommends reviewing the authentication and authorization configuration in Active Directory and setting it up to reject authorization requests using tokens with attributes that are not in tune with the organizational policy.