From NSA.gov; copied and reproduced here: "asis."

Summary From NSA.gov; Copied and reproduced here: "asis." Malicious cyber actors are abusing trust in federated authentication environments to access protected data. The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources. The actors demonstrate two sets of tactics, techniques, and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email. In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061 , T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access®2 and VMware Identity Manager®3 that allowed them to perform this TTP and abuse federated SSO infrastructure [1]. While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017 [2]. In a variation of the first TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens. In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002). Note that these TTPs (in and of themselves) do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services. The security of identity federation in any cloud environment directly depends on trust in the on-premises components that perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, then the trust in authentication tokens from the components is misplaced and can be abused for unauthorized access. It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML tokens could be forged, granting access to numerous resources. Microsoft Active Directory Federation Services (ADFS) ®4 is an identity federation technology used to federate identities with Active Directory (AD) ®5 , Azure Active Directory (AAD) ®6 , and other identity providers, such as VMware Identity Manager. By abusing the federated authentication, the actors are not exploiting a vulnerability in ADFS, AD, or AAD, but rather abusing the trust established across the integrated components. Due to the popularity of ADFS, numerous actors target ADFS, as well as other identity providers trusted by ADFS (T1199), to gain access to cloud services, such as Microsoft Office 365. Once access is gained, the actors monitor or exfiltrate emails and documents AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF (defense.gov) ________________________________________________ 1. TA0006 and similar references are MITRE® ATT&CK® tactics and techniques. MITRE and ATT&CK are registered trademarks of The MITRE Corporation. 2. VMware Access ® is a registered trademark of VMware. 3. VMware Identity Manager ® is a registered trademark of VMware. 4. Microsoft Active Directory Federation Services (ADFS) ® is a registered trademark of Microsoft Corporation. 5. Active Directory (AD) ® is a registered trademark of Microsoft Corporation. 6. Azure Active Directory (AAD) ® is a registered trademark of Microsoft Corporation. https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF