Mediaboss Marketing

NSA warns hackers are forging cloud authentication information | 2020-12-22 | Security Magazine This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more. This Website Uses CookiesBy closing this message or continuing to use our site, you agree to our cookie policy. Learn MoreThis website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.

Excerpt from:
NSA warns hackers are forging cloud authentication information - Security Magazine

The most surprising thing about the failure of U.S. intelligence to discover for nearly nine months the SolarWinds penetration of U.S. government agencies, reportedly including the State, Energy, and Homeland Security Departments as well as private contractors, is that anyone is surprised. After all, the National Security Agency, responsible for protecting the communications of the U.S. government, had such a massive hole punched in its capabilities by a breach in 2013 that Michael McConnell, the former director of first the NSA and then the Office of National Intelligence, assessed This [breach] will have an impact on our ability to do our mission for the next 20 to 30 years.

The proximate cause of the damage was Edward Snowdens theft of NSA files in June 2013. He was never apprehended because he fled first to Hong Kong, where he met with journalists, and then Russia, where he received sanctuary from Putin. How could such a loss of intelligence not do immense damage to the NSAs counterintelligence for many years?

According to the unanimous report of the House Permanent Select Committee on Intelligence, Snowden removed from the NSA digital copies of 1.5 million files, including 900,000 Department of Defense documents concerning, among other things, the newly created joint Cyber Command. Other stolen files contained documents from GCHQthe British signal intelligence service to which Snowden had access. One NSA file, a 31,000-page database, included requests to the NSA made by the 16 other agencies in the Intelligence Community for coverage of foreign targets.

NSA Deputy Director Rick Ledgett, who headed the NSAs damage assessment, warned that this database reveals the gaps in our knowledge of Russia, thus provides our adversaries with a roadmap of what we know, what we dont know, and gives themimplicitlya way to protect their information from the U.S. intelligence communitys view.

Snowdens theft dealt a savage blow to U.S. intelligence. Whenever sensitive compartmentalized information (SCI) is removed without authorization from the NSAs secure facilities, as it was by Snowden, it is, by definition, compromised, regardless of what is done with it. Whether Snowden gave these files to journalists, Russians, or Chinese intelligence, or whether he erased them or threw them in the Pacific Ocean, all the sources in them had to be considered compromisedand shut down. So did the methods they revealed.

The Pentagon did a more extensive damage assessment than the NSA, assigning hundreds of intelligence officers, in round-the-clock shifts, to go through each of the 1.5 million files to identify all the fatally compromised sources and methods they contained, and shut them down. This purge reduced the capabilities of the NSA, the Cyber Command, the British GCHQ, and other allied intelligence services to see inside Russia and China.

The damage was deepened by Snowdens defection to Russia. In a televised press conference on September 2, 2013, Vladimir Putin gloated, I am going to tell you something I have never said before, revealing that, while in Hong Kong, Snowden had been in contact with Russian diplomats. While Snowden denies giving any stolen secrets to Russia, U.S. intelligence further determined, according to the bipartisan House Permanent Select Intelligence Committee, that he was in contact with the Russian intelligence services after he arrived in Moscow and continued to be so for three years. Both Mike Rogers, the committees chair, and Adam Schiff, its ranking minority member, confirmed this finding to me. Fiona Hill, an intelligence analyst in both the Obama and Trump administrations, told the The New Yorker in 2017 that The Russians, partly because they have Edward Snowden in Moscow, possess a good idea of what the U.S. is capable of knowing. They got all of his information. You can be damn well sure that [Snowdens] information is theirs.

After the NSA, CIA, and the Cyber Command shut down the sources and methods Snowden had compromised, McConnell pointed out that entire generations of information had been lost. The resulting blind spots in our surveillance of Russia gave Moscows intelligence services full latitude to carry out mischief. Russian intelligence services have no shortage of operatives and tools to carry out long-term operations in cyberspace and elsewhere.

In the 2020 SolarWinds penetration, which Secretary of State Mike Pompeo attributes to Russian intelligence, the gaps allowed Russian spies to masquerade as authorized system administrators and other IT workers. The spies could use their forged credentials to copy any material of interest, plant hidden programs to alter the future operations of thousands of workstations in networks inside and outside the government, cover their tracks, and plant hidden backdoors for future access. Though it may take years to find and unravel all the malicious code implanted in these systems, the Cybersecurity and Infrastructure Security Agency has already determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.

This immense compromise of government networks is the inevitable price for allowing a large part of our counterintelligence capability to be compromised in 2013. The perverse irony here is that while Vladimir Putin rewarded Snowden for his contributions with permanent residency, Donald Trump says that he is looking into pardoning Snowden for his intrusion into NSA files and betrayal of American secrets.

Edward Jay Epsteins most recent book was How America Lost Its Secrets: Edward Snowden, the Man and the Theft.

Photo by Rosdiana Ciaravolo/Getty Images

Original post:
Edward Snowden Pardon and the SolarWinds Hack - City Journal

The pandemic affected everyone this year, but our mission didnt slow down. As our Director, GEN Paul Nakasone said, we are one team, and each of us contributes our unique expertise to a mission that is all the more critical in times of crisis.

Throughout 2020, our workforce contributed our expertise in many ways:

NSA worked to secure our elections

The security of the2020 Presidential electionwas NSAs top priority in 2020. We were part of the Whole-of-Government effort to identify and counter foreign interference and malign influence threats to the 2020 U.S. elections. NSA generated vital insights and shared them with partner agencies like U.S. Cyber Command, the Department of Homeland Security and the Federal Bureau of Investigation.Our efforts strived to assure all audiences, and most importantly, the American public, that NSA, USCYBERCOM, and other U.S. government partners together protected the U.S. elections from foreign interference and influence campaigns.

NSA shared cybersecurity guidance and advisories

MarylandGovernor Hoganrecognized our cybersecurity expertise to keepCOVID-19 research protectedas part of the U.S. Government-wide Operation Warp Speed (OWS). In addition to our support to OWS, as the pandemic shifted the workplace to home, NSA helped teleworkerswork from home safely,secure their home office, and evenlimit their mobile device exposurethanks to guidance developed by our Cybersecurity mission.

NSA continued our steady provision ofcybersecurity advicefor the Department of Defense, National Security Systems and the Defense Industrial Base. These specificadvisories and guidancealso helped system administrators and other cyber specialists across the cybersecurity field by providing information that was timely, relevant, and actionable throughout the year.

NSA drove innovative solutions

While the world faced new challenges this year, we didnt stop creating solutions. We contributed to the evolution of5G, were involved in how to keep theInternet of Thingssecure, planned for the future of national security when applyingquantumcomputing, we developed aQuBIT Collaboratory, and stood up theCenter for Cybersecurity Standards.

NSA invested in our nations future

We look forward to starting the New Year and the future looks bright, thanks to our investments in the future. TheOnRamp II programprovides the scholarships for students who will be developing the newest solutions to keep our nation safe. NSA worked in partnership with the DoD Office of Small Business Programs and created theCybersecurity Education Diversity Initiativeto assist minority serving institutions. This allows Historically Black Colleges and Universities with no existing cybersecurity program to obtain access to and educational resources from designated National Centers of Academic Excellence in Cybersecurity Institutions. We were pleased to announce that theU.S. Naval Academyreceived its designation as an NSA Center of Academic Excellence in Cyber Operations to develop new cyber warriors.

NSA personnel recognized for excellence

While many NSA personnel serve in silence, several of our staff and former personnel were publicly recognized this year for their dedication to our nations security. Former NSA Executive DirectorHarry Cokerwas recognized by the Intelligence Community for his commitment to improving diversity, equality, and inclusion.MSgt Frances Dupris,Dr. Ahmad Ridley,LaNaia JonesandJanelle Romanowere recognized for showing the importance of STEM education and career development. OurTech Transfer Teamwas recognized by the DoD for creating an efficient process for releasing NSA-developed capabilities to the open-source software community.

For more details on our efforts to protect our nation and secure our future, check out our Twitter,@NSAGov, throughout the month.

Read more at NSA

(Visited 60 times, 6 visits today)

Read the original post:
NSA Year in Review: Election Security, Cybersecurity, and More - HSToday

A VMware vulnerability that allowed access to protected data and federated authentication abuse was used by the SolarWinds hackers to attack high-value targets, KrebsOnSecurity reported.

The U.S. National Security Agency (NSA) warned on Dec. 7 that a flaw in the software of Palo Alto, Calif.-based VMware was being used by Russian hackers to impersonate legitimate users on breached networks. In order to exploit this vulnerability, the NSA said hackers would need to be on the targets internal network, which KrebsOnSecurity pointed out would have been the case in the SolarWinds hack.

VMware told CRN that it has received no notification or indication that this vulnerability was used in conjunction with the SolarWinds supply chain compromise. After being tipped off to the flaw by the NSA, VMware released a software update Dec. 3 to plug the security hole.

[Related: SolarWinds Hack Compromised 40-plus Microsoft Customers]

While some of VMwares own networks used vulnerable versions of SolarWinds Orion network monitoring platform, the company told CRN that an investigation has thus far revealed no evidence of exploitation. VMwares stock is down $7.47 (5.04 percent) to $140.63 per share since the KrebsOnSecurity report came out just after 1:30 p.m. ET Friday.

While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation, VMware said in a statement. This has also been confirmed by SolarWinds own investigation to date.

The NSA advisory came less than 24 hours before FireEye disclosed that it had suffered a security breach designed to gain information on some of the companys government customers. SolarWinds said its CEO Kevin Thompson was told Saturday by a FireEye executive of the Orion backdoor, and soon discovered it had been the victim of a cyberattack that impact both Orion tools as well as its internal systems.

The only private-sector organizations flagged as having been compromised via SolarWinds are FireEye and Microsoft, with Reuters reporting the latter Thursday. Reuters also alleged that Microsofts own products were then used by Russian government hackers to further the attacks on other victims.

Microsoft told CRN Thursday the sources for the Reuters report are misinformed or misinterpreting their information, but acknowledged the software giant had detected malicious SolarWinds binaries in its environment. The U.S. government said Thursday it has evidence of additional initial access vectors beyond SolarWinds Orion, but noted those other intrusion methods are still being investigated.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Thursday it had observed the hackers adding authentication tokens and credentials to highly privileged Microsoft Active Directory domain accounts as a persistence and escalation mechanism. In many instances, CISA said the tokens enable access to both on-premise and hosted resources.

One of the principal ways the hacker is collecting victim information is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges, CISA said. Hosted email services, hosted business intelligence applications, travel systems, timecard systems, and file storage services (such as SharePoint) commonly use SAML, according to CISA.

Similarly, the NSAs Dec. 7 report said exploiting the VMware Access and VMware Identity Manager products via led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.

Microsoft ADFS can be used to federate identities with VMware Identity Manager, the NSA wrote in a cybersecurity advisory issued yesterday. By abusing the federated authentication, the NSA said the hackers can abuse the trust established across the integrated components.

Adversaries target products like VMware Identity Manager to gain access to cloud services such as Microsoft Office 365, the NSA wrote yesterday. Once access is gained, the NSA said the hackers can monitor or exfiltrate emails and documents stored in Microsoft Office 365 environments.

Go here to see the original:
VMware Flaw Used To Hit Choice Targets In SolarWinds Hack: Report - CRN

3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks

The U.S. National Security Agency has issued a warning about two hacking techniques that could allow threat actors to access cloud resources by bypassing authentication mechanisms.

See Also: The SASE Model: A New Approach to Security

The warning comes after a week's worth of revelations over the SolarWinds breach that has affected government agencies as well as corporations, including Microsoft, FireEye, Intel and Nvida (see: SolarWinds Hack: Lawmakers Demand Answers).

Secretary of State Mike Pompeo, commenting on the breach, said in a Friday evening radio interview that "the Russians engaged in this activity."

"I can't say much more as we're still unpacking precisely what it is, and I'm sure some of it will remain classified," Pompeo said, according to a transcript provided by the State Department. "But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well. This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity."

In a pair of tweets on Saturday, President Donald Trump appeared to question whether Russia was involved in the hacking operation and opened up the possibility that China may have played a role (see: President Trump Downplays Impact of SolarWinds Breach).

"The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted. "Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."

The NSA advisory does not specify whether the nation-state hackers behind the SolarWinds breach used these same tactics, techniques and procedures to compromise various networks and gain additional privileges, but the advisory notes threat actors could use these methods to steal credentials and maintain persistent access.

"Initial access can be established through a number of means, including known and unknown vulnerabilities," according to the NSA alert. "The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access."

The NSA adds these particular tactics and methods described in the alert are not new and have been used by threat actors since 2017.

The two techniques described by NSA involve hacking of cloud resources using either compromised authentication tokens or through compromised system administration accounts in the Microsoft Azure platform. The agency adds, however, that these techniques can be replicated in other cloud platforms as well.

The NSA notes that its latest alert builds on a previous warning about techniques that Russian-linked hackers were using to exploit a vulnerability in several VMware products. The company has since issued a fix for this bug, and users are encouraged to apply it as soon as possible (see: NSA: Russian Hackers Exploiting VMware Vulnerability).

This alert describes two scenarios where the attackers have already compromised the local network and have gained access to the authentication mechanisms that are used to access cloud resources.

In the first scenario, the threat actors begin by compromising on-premises components of federated single sign-on authentication systems that use a single identification and password to log into several systems, the advisory notes.

The attackers then steal credentials or private keys that are used to sign Security Assertion Markup Language, or SAML, tokens used for authentication and authorization between cloud service providers and its tenants or users, the NSA notes.

"Using the private keys, the actors then forge trusted authentication tokens to access cloud resources," according to the NSA alert. "If the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens."

In the second scenario, the threat actors use compromised administrator accounts to assign credentials to cloud application services. The actors then call for the applications' credentials to gain automated access to cloud resources, the advisory adds.

The NSA adds that attacks against the cloud infrastructure do not use vulnerabilities in the cloud components, but instead manipulate the "trust" needed for performing authentication, assigned privileges and the SAML tokens.

"If any of these components is compromised, then the trust in the federated identity system can be abused for unauthorized access," the advisory notes.

Brendan O'Connor, CEO and co-founder of security firm AppOmni, notes the tactics described by NSA particularly make third-party apps that connect to cloud services more susceptible to attacks, especially with more organizations now working remotely due to the COVID-19 pandemic.

"It's not that our premise tools have failed, but the data has moved to where they can't see it," O'Connor tells Information Security Media Group. "Getting visibility into what third-party applications are already connected to your cloud applications should be one of the top priorities for security teams."

Because the attacks mainly take advantage of Security Assertion Markup Language in cloud platforms, the NSA recommends several steps that cloud service providers and users can adopt to prevent breaches using the scenarios described in the alert. These mitigation methods include:

The NSA also recommends auditing of the tokens to identify any disparities in their activities. This can be done by either auditing the creation and use of service principal credentials or by auditing the assignment of credentials to applications that allow for non-interactive sign-in by the application.

While the mitigation strategies described by the NSA are meant to provide guidance for the National Security System, Department of Defense, and Defense Industrial Base network administrators, these methods can be applied to any network.

Managing Editor Scott Ferguson contributed to this report.

See the article here:
NSA Warns of Hacking Tactics That Target Cloud Resources - BankInfoSecurity.com