The NSA Warns of Attacks against Authentication Mechanisms in the Cloud

The cloud is an increasingly used service on the Internet. There are many platforms that offer users the possibility of hosting content, using remote tools, working remotely … All of this logically requires security measures to prevent anyone from entering and accessing the content. In this article we report on new attacks that have been discovered by the NSA and that affect authentication mechanisms in the cloud .

The NSA detects attacks against authentication mechanisms

From the NSA, the National Security Agency of the United States, they have issued a warning about two new attack techniques that they have discovered against authentication mechanisms in the cloud. A problem that can put the privacy and security of users at risk.

NSA Warns of Attacks against Authentication

They say this occurs after the attackers have gained access to the victim’s local network . They take advantage of privileged access within the local environment and thus break the authentication mechanisms that an organization uses when granting access to the cloud and local resources. This also manages to compromise the administrator credentials.

They can do this using two different sets of tactics, techniques and procedures, according to the security researchers behind this discovery.

In the first of these two sets, attackers compromise local components of an SSO (single sign-on) infrastructure and steal the credential or private key that is used to sign SAML tokens that those single sign-on processes use.

By using private keys, attackers subsequently forge trusted authentication tokens and gain access to cloud resources.

Bases de datos nativas en la nube

They further indicate that if hackers cannot acquire a local signing key, they will seek a way to obtain sufficient administrative privileges within the cloud to add a malicious certificate that allows forging SAML tokens.

In the second of the two sets of tactics, techniques and procedures, cybercriminals take advantage of a compromised global administrator account to assign credentials to cloud application service managers. Hackers then invoke application credentials for automated access to cloud resources (often email).

They are based on the trust of local components that authenticate, assign privileges, and sign SAML tokens. In case any of the components is compromised, then that trust in the component’s authentication tokens goes haywire and can be abused for unauthorized access.

These security researchers indicate that to avoid these problems it is necessary to lock down the SSO configuration and harden the systems that run identity services.

Remember the great importance of protecting cloud security . There are many attacks that we can suffer and that, in one way or another, could put our equipment at risk. In another article we give some tips to work in the cloud safely. Something that has also increased a lot in recent times is teleworking and you have to protect yourself.