NSA on Authentication Hacks (Related to SolarWinds Breach)

The NSA has published an advisory outlining how “malicious cyber actors” are “are manipulating trust in federated authentication environments to access protected data in the cloud.” This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SVR is using once it has gained access to target networks.

From the summary:

Malicious cyberactors are abusing trust in federated authentication environments to access protected data. The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources. The actors demonstrate two sets of tactics, techniques,and procedures (TTP) for gaining access to the victim network’s cloud resources, often with a particular focus on organizational email.

In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens(TA0006, T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access and VMware Identity Manager that allowed them to perform this TTP and abuse federated SSO infrastructure.While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017.

In a variation of the first TTP, if the malicious cyber actors are unable to obtain anon-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002).

This is an ongoing story, and I expect to see a lot more about TTP — nice acronym there — in coming weeks.

Related: Tom Bossert has a scathing op-ed on the breach. Jack Goldsmith’s essay is worth reading. So is Nick Weaver’s.

Posted on December 18, 2020 at 10:35 AM16 Comments


quietly anonymous December 18, 2020 11:31 AM

That opinion piece, while scathing reads like the author truly hopes this is what has happened which, according to zdnet’s, microsoft’s, and ars technica’s articles, isn’t exactly how it happened. I think its a fluff piece, just another kick with a boot muddy from the last months’ controversies.

Hideous December 18, 2020 2:00 PM

Hey, Bruce, we already had “TTP” as a “nice acronym” for “Trusted Third Party,” remember? So a Certificate Authority, a Kerberos AS+KDC, a SAML IDP, things like that we call TTP’s.

I don’t want to lose “TTP” as a label for an important type of service just so some doofus can use it to abbreviate the mushy concept of “tactics, techniques, and procedures.”

DaveR December 18, 2020 2:29 PM


“Hey, Bruce, we already had “TTP” as a “nice acronym” for “Trusted Third Party,” remember?”

I am pretty sure, after looking at the Summary PDF using the link Bruce provided, that the TTP usage is NSA’s, not Bruce’s.

Having said that, I share your concern as we continue to see useful TLAs and abbreviations taken over by people/groups that seems to have forgotten there was an earlier valid use. Or, the new usage comes up in an industry not quite related to the old usage.

Either way it is just a bit frustrating.

SpaceLifeForm December 18, 2020 3:36 PM

TTP in this context has been in use for years.

It’s just one of those acronym overlap things.

Other examples are IRA, SCO.

It’s always the context that makes it clear which possible interpretation is in use.

1&1~=Umm December 18, 2020 4:03 PM


“You know, the obvious question that no one seems to have asked about all this…”

How about,

‘Is it a US agency instigated backdoor that somebody else has discovered and is now using in return?’

I notice four or five commenters on this blog have either alluded to it or said it out right.

I must admit that if it is the case, Ex politico William Barr is going to look extreamly foolish and I for one will laugh wholeheartedly at him. Because at the end of the day he was stupid enough to ‘keep flapping his gums’ even when he had been publicly and repeatedly warned of the dangers.

JonKnowsNothing December 19, 2020 7:25 AM

@ Rj

re: For a site that is supposed to be by and for professional internet security people, the above “swimwear” postings are a blatant demonstration that the site administrator is not very good


What it does show is:

A) It is a hot topic which shows up in any internet query and that it is “trending”.

B) The machine bots or prisoners who are required to post this stuff post to anything “trending”

C) The machine AI-bots of governments and LEAs who do not like the sort of topics discussed here to be discussed at all, try to drown out the threads by various techniques. Trolls and Advertising have much in common.

AlexT December 19, 2020 2:57 PM

“represents one of the techniques the SVR is using once it has gained access to target networks”

It certainly does, just as the Mossad, the MOIS, any of the 3 letter agencies or any competent contractor. Unless you have definite proof it was the SVR (which is almost impossible) why use that specific terminology ?

mother, i wont be home for christmas December 19, 2020 4:43 PM

@ JonKnowsNothing:

What it does show is:

My guess is in part, “spam/fake” sites are actually fronts or semi-fronts which bring in web browser prefetching tech which most people don’t disable. So in other words, badda bing badda boom, controversial subject(s) being discussed, let’s gather IP information to get the potential author(s) and/or readers at a mission critical time.

D. Prendergast December 20, 2020 4:24 AM

Heads should roll, but they won’t. Nakasone will be burnishing his resume. The DNI should have the grace to resign, but he won’t vacate his position either.

The point is this: which networks were compromised, and what is the highest classification level for traffic allowed on those networks? If the NSA was hacked for a year without anyone noticing, Nakasone must step down. If CIA was hacked too, for over a year without a soul having a clue, then bring in the clowns (again). Let’s not hire people based upon their qualifications. Let’s have diversity. We need to look good. Anyone got any extra hair gel? Non-sticky?

One imagines that the targets were victims of kleptograpy, that the payloads were encrypted and then exfiltrated. I would like to know whether the malicious actors used RSA, which symmetric algorithm they used, and which cryptographic hash functions they employed.

I do not believe that Secretary Pompeo would tell the truth about what he knows because that would not have been helpful. We should not rush to judgment and say it was the Russians. It may look like the Russians, yes. My hunch is that it was the Chinese.

There is a very uncomfortable point in the offing: get ready for the technological domination of China. It is completely in the cards, ladies and gents. The U.S. just got outclassed, and I have a feeling that this hack will be looked back upon as especially telling.

Sancho_P December 20, 2020 7:47 AM

Glad the NSA know how it works!

Um, …
Probably they could ask the SVR what to do against?
I mean something like defence, in contrast to the usual offence?

Donelly December 20, 2020 8:44 AM

… NSA heads should roll — NSA mission is to PREVENT this type of attack!

Instead, NSA issues a pathetic “Advisory” after the damage is done.

NSA spent well over $200 Billion since 2000 — taxpayers deserve a refund… and a lot less domestic spying.

ResearcherZero December 20, 2020 11:37 PM

The wonders of legacy systems on the network.

Every valid HPKP configuration has to include at least one backup key. In addition, the configuration must at any given time be offering at least one pin which matches the configuration presented to all its previous users.

There are exploits that can be used against windows certificate scheme on the client, by abusing windows components, especially on anything legacy. Those kind of attacks are custom one off jobs, not that hard to pull off too with a bit of time spent studying the operating system beforehand. The difficulty depends on what end result is wanted, increasing in difficulty depending on how stealthy you want it to be. If it’s just damage, then it’s fairly trivial, script kiddie level.

The current CA certificates will not be revoked until February 15, 2021. After that date you can remove the old thumbprints from your code.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.