When Clouds Collide: Mitigating Federated Identity Attacks

Blog Post by Bruce Edwards, Senior Manager at Meditology Services

Recommendations for addressing recent warnings from the NSA of cloud breaches via federated identity 

The NSA has issued a cybersecurity advisory for cloud attack techniques currently in use by malicious actors that abuse federated identity trust models. This new approach allows attackers to jump across cloud-hosted platforms undetected and move from less-protected environments to more sensitive cloud applications like Microsoft Office365 email.

The merging or collision of cloud environments from an access perspective has exposed healthcare entities to new avenues of breach that require attention in the near term. This blog provides an overview of federated identity attacks and outlines recommendations for healthcare entities to mitigate their effectiveness.

How It Works: Federated Identity Attacks for Cloud Environments

In order for the malicious actor to leverage these federated identity attacks, they must have already gained access to the target network. In other words, the attackers must gain some initial access to your network, which is most commonly achieved through phishing attacks and exploiting missing security patches. The recent high-profile SolarWinds supply chain breach is also another avenue for attackers to gain network access to healthcare organizations. You can read more about this specific breach in our related blog: Massive SolarWinds Breach Exposes Supply Chain Risks.

Once on your network, attackers leverage federated identity configurations that allow users on the network to traverse cloud applications by passing additional logins, much in the same way as Single Sign On (SSO) technology works for on-premises applications.

According to the NSA, the malicious actors’ goal is to obtain access to sensitive cloud hosted platforms like Microsoft Office365 email. Attempts to gain access directly to Microsoft Office365 email directly from the front end, or through the front door so to speak, are typically less successful. This is due to stronger security controls in place like account lockouts for failed login attempts, multi-factor authentication, and increased monitoring of those access points. However, if the attackers piggyback on your federated identity configurations, then they can bypass many of those more restrictive security controls. This is akin to the bad guy jumping into the backseat of your car before you roll into the garage and then entering through the open door from the garage to your home.

The technologies being exploited for these recent federated attacks include VMWare Access, VMWare Identity Manager, and Microsoft Active Directory Federation Services (ADFS) and Azure AD. Malicious actors take advantage of recently reported vulnerabilities in the VMWare identity management solution set to obtain on-premises signing keys and forge SAML tokens (the mechanism that allows the single sign on functionality to work). The VMware Access and Identity Manager vulnerabilities were widely reported in use by the Russian attackers late last year and are now being exploited more broadly, according to the NSA's information.

Another variation of attack involves attackers escalating their privileges in the Microsoft environment to hijack configuration settings for ADFS and Azure AD to permit excessive trust between cloud applications. In this version, attackers compromise your global administrator account, which is basically a domain administrator account for those in a Microsoft Windows environment, and then get access to ADFS to assign which cloud services can automatically pass through access to other cloud services. This provides the bad guys with access to the rules engine for cloud-to-cloud access, which the NSA notes they are frequently using to gain access to Microsoft Office365 email. This attack in particular is very difficult to detect since the traffic and access looks legitimate and may not raise any alarms of suspicious activity.

Recommendations for Mitigating Cloud Federation Attacks

The NSA recommends following Microsoft's published Federation and SAML Guidance as a starting point to make sure that ADFS is configured properly in alignment with security control standards. They further advise organizations to lock down or “harden” the Azure Active Directory (AAD) environment to reject authorization requests from non-standard methods, requiring multi-factor authentication, and disabling legacy authentication to AAD. While the NSA alert was specific to recent Microsoft an VMWare-related vulnerabilities, they also note that “many of the techniques can be generalized to other environments.”

The NSA also advises that organizations should strongly consider deploying a FIPS validated Hardware Security Module to store on-premises token signing certificate private keys. They further recommend ensuring that “core privileged cloud administrative users, groups, and roles are not impacted by data synchronized from on-premises environments, and that cloud administrative roles do not authenticate with SAML SSO, but instead rely on cloud-only authentication.”

The NSA also provides further guidance in their advisory notice for configuring log monitoring solutions to detect indications of compromise from federated attacks. The CISA has also released a free tool called Sparrow which is designed to detect unusual and potentially malicious activity in Microsoft Azure and Office365 environments. Contact us here at Meditology if you want to get a handle on that tool and we can point you in the right direction.

Meditology recommends conducting a review of all tenant apps and credentials to validate configurations are in place limit excessive cloud-to-cloud passthrough access. Specifically, we offer a cloud security assessment that reviews your overall cloud security posture including federation configurations, related security controls, and administrative processes to validate that security configurations remain secure over time. This assessment does not have to be limited to Microsoft-specific implementations and is appropriate for other cloud solutions like Amazon AWS and Google GCP environments.

We also recommend performing technical penetration testing to validate cloud platforms are working as expected to secure access to your sensitive data and systems. If you conduct routine penetration tests using a firm like Meditology or via your own internal pen testers, we recommend instructing the testers to specifically attempt to bypass access controls to cloud platforms using federated systems. Ask testers to further determine if they can get administrative access to ADFS, AzureAD, or other federation rules configurations in your environment. We recommend focusing specifically on Office365 email access, as this is the area that the NSA notes attackers are most commonly exploiting.

Meditology provides a range of services to support cloud implementations for healthcare entities including cloud security risk assessments, cloud security strategic planning, penetration testing, cloud vendor risk management, HITRUST and SOC 2 certification for cloud implementations, and cloud security subject matter expertise and staff augmentation support.

We have also launched a dedicated Cloud Security Center of Excellence that delivers thought leadership content including webinars, podcasts, tools, blogs, and other on-demand resources to help organizations manage cloud security risks.

Contact us to learn more about how we can support your cloud security program.

Most Recent Posts
Global IT Outage Impacts Healthcare: What Happened? Read More
Why Cybersecurity Checks are a Must Before Acquiring or Merging with Another Hospital Read More
URGENT SECURITY ALERT: MOVEit Vulnerability Identified Read More