SolarWinds: An Updated SEC Filing, a Revised CISA Alert, and an NSA Advisory on Authentication Mechanism Abuse
SolarWinds has updated its US Securities and Exchange Commission (SEC) Form 8-K filing to provide additional information about the supply-chain breach. The Cybersecurity and Infrastructure Security Agency (CISA) revised its alert to include information about additional initial access vectors, an updated list of IOCs, and the National Security Agency (NSA)'s advisory about hackers abusing authentication mechanisms.
The use of SAML to support federated authentication has been a huge enabler for cloud services, and also to allow for alternative authentication mechanisms including SSO, MFA, as well as changing the authentication requirement based on location. Attackers are using forged SAML tokens to access your cloud services, particularly email systems, but also any insourced applications using federated authentication. This is done either by stealing the private key which signs SAML authentication tokens, or by obtaining sufficient privileges to create new trust relationships. Verify the security configuration of federated authentication components and monitor for any malicious behavior. Talk to your cloud service providers about their use of SolarWinds and their response plans, if any.
Read more in
US-CERT-CISA: Alert (AA20-352A) | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (revised 12/21/2020)
Cloudfront: Form 8-K | SolarWinds Corporation (PDF)
Health IT Security: Fed Cybersecurity Advisory Alerts to Abuse of Authentication Mechanisms
Bleeping Computer: NSA warns of hackers forging cloud authentication information
Defense: Detecting Abuse of Authentication Mechanisms (PDF)