趋势:BlackSky satellite data venture makes a $1.5B deal to go public in SPAC merger

[Editor’s Note:Independent security consultant Christopher Budd worked previously in Microsoft’s Security Response Center for 10 years.]

Analysis:To understand where the SolarWinds attackers are going next, and how to defend against them, look to the clouds.


This is becoming clearer as new reports clarify information obfuscated by technical jargon in early incident reports last week.

On Monday,the New York Times reportedthat “[t]he Russian hackers who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership.” This followsa report from Reuters on Dec. 13, saying “[h]ackers broke into the [National Telecommunications and Information Administration] NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.”

These reports, combined with technical details released by Microsoft and the National Security Agency (NSA) in the past week, show how the SolarWinds attackers have made targeting cloud-based services a key objective in their attacks. Specifically, if we decode the various reports and connect the dots we can see that the SolarWinds attackers have targeted authentication systems on the compromised networks so they can log in to cloud-based services like Microsoft Office 365 without raising alarms. Worse, the way they’re carrying this out can potentially be used to gain access to many, if not all, of an organization’s cloud-based services.



  1. One of the key actions SolarWinds attackers take after establishing a foothold on networks is to target the systems that issue the proof of identity used by cloud-based services, and steal the means to issue IDs.
  2. 一旦他们有这个,他们就可以使用它来创建假的ID,使攻击者能够模拟合法用户或创建似乎合法的恶意账户,包括管理(即总共)访问的帐户。
  3. Because these IDs are used to give access to data and services by cloud-based services, the attackers are able to access data and email just like legitimate users, including those with total access, and they do so.

It is very likely that this is how the SolarWinds attackers gained access to Treasury and NTIA’s email systems: they leveraged the network compromise to get access to cloud-based services. In fact, one of the Microsoft postings about the SolarWinds attack talks about“保护微软365免受本地攻击”which really means, “How to keep your network compromise from turning into a cloud-services compromise, as well.”


To understand this aspect of the SolarWinds attacks, it’s important to know that SAML stands for “安全断言标记语言。“It’s a method for authentication (i.e. logging on) used in cloud-based services. A “SAML token” is the actual “proof” to the service that you are who you say you are.

云或认证技术的专家将无法找到财政部或NTIA发展令人惊讶的:微软在12月13日的帖子中明确了这一方面,“近期国家州网络攻击的客户指导“ 和 ”客户支持的重要步骤tect themselves from recent nation-state cyberattacks。“两个帖子都有类似的语言:

  • 入侵者“使用通过内部部署所获取的管理权限妥协,以便访问组织的全局管理员帐户和/或可信SAML令牌签名证书。这使Actor能够伪造SAML令牌,以冒充任何组织现有用户和帐户,包括高度特权的帐户。“
  • “Anomalous logins using the SAML tokens created by the compromised token signing certificate can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.”

Then Microsoft released a series of blog posts discussing the SolarWinds attacks, SAML and identity technologies (Dec. 15;12月18日;12月21日;12月21日).


Information is scattered across all of these postings but together they make clear that:

  • One of the key actions SolarWinds attackers are taking after they establish a foothold on networks is to “[steal] the certificate that signs SAML tokens from the federation server (ADFS) called a Token Signing Cert (TSC).” [资源]
  • 一旦他们拥有这个,它就会让他们“伪造SAML标记,以模拟任何组织的现有用户和帐户,包括高度特权的帐户。”[资源]
  • Because “[d]ata access has relied on leveraging minted SAML tokens to access user files/email or impersonating the Applications or Service Principals by authenticating and obtaining Access Tokens using credentials that were added…[t]he actor periodically connects from a server at a VPS provider to access specific users’ emails using the permissions granted to the impersonated Application or Service Principal.” [资源]



It doesn’t help that some of the discussion of this aspect has been unclear. Some reports have indicated that there’s a vulnerability affecting Microsoft’s products or services involved in the Treasury or NTIA email intrusions. I asked Microsoft if there were any vulnerabilities involved and they responded: “We have not identified any Microsoft product or cloud service vulnerabilities in these investigations. Once in a network, the intruder then uses the foothold to gain privilege and use that privilege to gain access.”

国家安全局也讲,说,“[b] y滥用the federated authentication, the actors are not exploiting a vulnerability in [the Microsoft authentication technologies] ADFS, AD, or AAD, but rather abusing the trust established across the integrated components.” That is consistent with what I’ve outlined: attackers who own your network don’t need a vulnerability to gain access to your cloud-based services; they already have all they need to pull that off.

And while the discussion has focused on Microsoft’s cloud-based services, so far there is no information that indicates these attacks can only happen against their products or services. SAML is an open-standard that’s widely offered by vendors other than Microsoft and used by non-Microsoft cloud-based services. The SolarWinds attacks and these kinds of SAML-based attacks against cloud services in the future can involve non-Microsoft SAML-providers and cloud service providers.

Next Steps

Taking all of this into account, what next steps should people take?

First, if your organization has had the compromised SolarWinds files on your network, your incident response process needs to include checking your authentication systems for your cloud-based services for possible compromise. And if you cannot rule out that it’s been compromised, you’ll need to verify the integrity of those services.

Next, everyone using cloud-based services needs to take the NSA directives very seriously and prioritize increasing the security and monitoring of their cloud-based service authentication mechanism.



Job Listings on GeekWork

找到更多的工作Geekwork.. Employers,岗位.