趋势:BlackSky satellite data venture makes a $1.5B deal to go public in SPAC merger
geekwire图/帆布图像

[Editor’s Note:Independent security consultant Christopher Budd worked previously in Microsoft’s Security Response Center for 10 years.]

Analysis:To understand where the SolarWinds attackers are going next, and how to defend against them, look to the clouds.

Solarwinds供应链攻击在许多方面都是前所未有的。攻击在执行,广泛的范围内复杂,令人难以置信的有效性。但也许最值得注意的是,太阳能攻击者似乎寻求获得基于云的服务的前所未有的方式作为其关键目标之一。

This is becoming clearer as new reports clarify information obfuscated by technical jargon in early incident reports last week.

On Monday,the New York Times reportedthat “[t]he Russian hackers who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership.” This followsa report from Reuters on Dec. 13, saying “[h]ackers broke into the [National Telecommunications and Information Administration] NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.”

These reports, combined with technical details released by Microsoft and the National Security Agency (NSA) in the past week, show how the SolarWinds attackers have made targeting cloud-based services a key objective in their attacks. Specifically, if we decode the various reports and connect the dots we can see that the SolarWinds attackers have targeted authentication systems on the compromised networks so they can log in to cloud-based services like Microsoft Office 365 without raising alarms. Worse, the way they’re carrying this out can potentially be used to gain access to many, if not all, of an organization’s cloud-based services.

这告诉我们,攻击者调整了他们的攻击方法,以匹配Hybrid内部房屋/云环境的许多组织现在拥有。这意味着响应者对Solarwinds攻击的攻击不仅需要看他们的系统和网络,而且需要在他们的云的服务中寻求妥协的证据。这也意味着从现在开始,捍卫者需要增加其云服务认证系统和基础架构的安全性和监控。

我们将探讨以下技术细节,但这里是关键的外卖:

  1. One of the key actions SolarWinds attackers take after establishing a foothold on networks is to target the systems that issue the proof of identity used by cloud-based services, and steal the means to issue IDs.
  2. 一旦他们有这个,他们就可以使用它来创建假的ID,使攻击者能够模拟合法用户或创建似乎合法的恶意账户,包括管理(即总共)访问的帐户。
  3. Because these IDs are used to give access to data and services by cloud-based services, the attackers are able to access data and email just like legitimate users, including those with total access, and they do so.

It is very likely that this is how the SolarWinds attackers gained access to Treasury and NTIA’s email systems: they leveraged the network compromise to get access to cloud-based services. In fact, one of the Microsoft postings about the SolarWinds attack talks about“保护微软365免受本地攻击”which really means, “How to keep your network compromise from turning into a cloud-services compromise, as well.”

什么是saml,为什么重要?

To understand this aspect of the SolarWinds attacks, it’s important to know that SAML stands for “安全断言标记语言。“It’s a method for authentication (i.e. logging on) used in cloud-based services. A “SAML token” is the actual “proof” to the service that you are who you say you are.

云或认证技术的专家将无法找到财政部或NTIA发展令人惊讶的:微软在12月13日的帖子中明确了这一方面,“近期国家州网络攻击的客户指导“ 和 ”客户支持的重要步骤tect themselves from recent nation-state cyberattacks。“两个帖子都有类似的语言:

  • 入侵者“使用通过内部部署所获取的管理权限妥协,以便访问组织的全局管理员帐户和/或可信SAML令牌签名证书。这使Actor能够伪造SAML令牌,以冒充任何组织现有用户和帐户,包括高度特权的帐户。“
  • “Anomalous logins using the SAML tokens created by the compromised token signing certificate can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.”

Then Microsoft released a series of blog posts discussing the SolarWinds attacks, SAML and identity technologies (Dec. 15;12月18日;12月21日;12月21日).

与此同时,12月18日,NSA发布了一个指令“检测滥用认证机制。“虽然没有对Solarwinds攻击的具体响应,但它讨论了SAML攻击,并在这些攻击的背景下攻击了Solarwinds攻击,自2017年以来一直存在。

Information is scattered across all of these postings but together they make clear that:

  • One of the key actions SolarWinds attackers are taking after they establish a foothold on networks is to “[steal] the certificate that signs SAML tokens from the federation server (ADFS) called a Token Signing Cert (TSC).” [资源]
  • 一旦他们拥有这个,它就会让他们“伪造SAML标记,以模拟任何组织的现有用户和帐户,包括高度特权的帐户。”[资源]
  • Because “[d]ata access has relied on leveraging minted SAML tokens to access user files/email or impersonating the Applications or Service Principals by authenticating and obtaining Access Tokens using credentials that were added…[t]he actor periodically connects from a server at a VPS provider to access specific users’ emails using the permissions granted to the impersonated Application or Service Principal.” [资源]

这是什么意思?

对于安全专业人士来说,这里的任何东西都是新的还是令人惊讶的:对网络的总访问意味着您可以使用它做任何您想要的。此外,NSA文档指出了这些攻击自2017年以来已经看到了这些攻击。但这是对这种广泛的可见性的第一个主要攻击,这些攻击是基于云的身份验证机制。即将与这些报告中的技术术语相结合,意味着许多人尚未连接这些点。

It doesn’t help that some of the discussion of this aspect has been unclear. Some reports have indicated that there’s a vulnerability affecting Microsoft’s products or services involved in the Treasury or NTIA email intrusions. I asked Microsoft if there were any vulnerabilities involved and they responded: “We have not identified any Microsoft product or cloud service vulnerabilities in these investigations. Once in a network, the intruder then uses the foothold to gain privilege and use that privilege to gain access.”

国家安全局也讲,说,“[b] y滥用the federated authentication, the actors are not exploiting a vulnerability in [the Microsoft authentication technologies] ADFS, AD, or AAD, but rather abusing the trust established across the integrated components.” That is consistent with what I’ve outlined: attackers who own your network don’t need a vulnerability to gain access to your cloud-based services; they already have all they need to pull that off.

And while the discussion has focused on Microsoft’s cloud-based services, so far there is no information that indicates these attacks can only happen against their products or services. SAML is an open-standard that’s widely offered by vendors other than Microsoft and used by non-Microsoft cloud-based services. The SolarWinds attacks and these kinds of SAML-based attacks against cloud services in the future can involve non-Microsoft SAML-providers and cloud service providers.

Next Steps

Taking all of this into account, what next steps should people take?

First, if your organization has had the compromised SolarWinds files on your network, your incident response process needs to include checking your authentication systems for your cloud-based services for possible compromise. And if you cannot rule out that it’s been compromised, you’ll need to verify the integrity of those services.

Next, everyone using cloud-based services needs to take the NSA directives very seriously and prioritize increasing the security and monitoring of their cloud-based service authentication mechanism.

最后,准备好了解更多组织的基于云的服务被妥协,作为S狗万平台olarwinds攻击的一部分。这是我们看到的最大,最广泛的攻击。因此,如果不是多年来,这是一种情况,这是一个局面需要几个月,以完全解开。

喜欢你在读什么?订阅Geekwire的免费新闻通讯以捕捉每个标题

Job Listings on GeekWork

找到更多的工作Geekwork.. Employers,岗位.