CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Golden padlock on keyboard showing federated login in SolarWinds hack
Cyber SecurityNews
·2 min read

NSA Advisory Says VMWare Flaw Used To Perform Federated Login in SolarWinds Hack

Alicia Hope·December 28, 2020
TwitterFacebookLinkedIn

U.S. federal government cybersecurity agencies issued an advisory that threat actors exploited “non-SolarWinds products” in gaining access to targets’ computer systems during the SolarWinds attack. The advisory said that hackers used the trojanized SolarWinds Orion app in gaining initial access to the local networks and then exploiting a VMWare vulnerability (CVE-2020-4006) to perform federated login through Microsoft Active Directory Federation Services (ADFS).

The SolarWinds hack was associated with several cyber attacks affecting major companies including FireEye and various federal agencies. VMWare released an update on Dec 3, to seal the security loophole after learning of the vulnerability through the NSA.

Vulnerable VMWare products exploited in the SolarWinds hack

According to the NSA Dec 7 advisory, “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”

The NSA noted that to complete federated login, the threat actors had to access the vulnerable VMware device’s management interface. Therefore, they must be present on the target’s internal network if the VMWare’s vulnerable interfaces were not exposed to the Internet.

However, SolarWinds trojanized Orion software granted the attackers an easy method of infiltrating the target’s local network. The attackers could then access VMWare products to complete federated login by generating authentication tokens against the ADFS.

VMWare told KrebsOnSecurity that it had received no notification or signs that threat actors combined CVE 2020-4006 vulnerability with the SolarWinds Orion software to execute the SolarWinds hack.

In a statement, VMWare said that “while we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation.”

SAML certificate used to generate authentication tokens for federated login

DHS’s CISA alert on Dec. 17 noted that threat actors were using additional attack vectors apart from the SolarWinds hack. CISA noted that threat actors performed federated login “by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges.”

The hackers created unauthenticated but valid tokens and presented them to environments that trust SAML tokens from the source environments. Using the tokens, the attackers could complete federated login, access cloud resources such as Microsoft Office 365, and exfiltrate data through APIs.

The Dec 7 advisory said that the NSA had identified hacking activity involving VMware’s vulnerability leading to the “installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS).” The ADFS then granted the attackers full access to sensitive information.

In the Dec 17 advisory, the NSA said that the SAML tokens used for federated login against Microsoft’s ADFS during the SolarWinds hack were possibly generated using VMWare’s vulnerable software.

The advisory added that the attackers successfully bypassed multi-factor authentication (MFA) protecting the targeted systems. Additionally, they impersonated and attacked key cybersecurity personnel such as incident response staff and email accounts staff.

Advice from NSA for affected companies

NSA advised companies affected by the SolarWinds hack to consider their email accounts, internal networks, and identity trust stores as compromised. Consequently, they should use different channels to discuss ways of cleaning their network.

The advisory recommended a “full reconstitution of identity and trust services” to successfully remediate the effects of the SolarWinds hack if companies’ identity stores were fully compromised. Noting that the threat actor was highly skillful, the advisory recommended a “full rebuild of the environment.”

NSA warned that hackers targeted VMWare and SolarWinds Orion vulnerabilities to perform federated login and execute attacks. #cybersecurity #respectdataClick to Tweet

CISA also advised government agencies and contractors to patch their systems to prevent Russian government state-sponsored threat actors from accessing core government systems.

 

TwitterFacebookLinkedIn
Tags
Federated LoginSolarWinds Hack
Alicia Hope
Staff Correspondent at CPO Magazine
Alicia Hope has been a journalist for more than 5 years, reporting on technology, cyber security and data privacy news.
Related
SolarWinds logo in front of their office showing supply chain attack
Cyber SecurityInsights

Three Vulnerabilities Exposed During SolarWinds Attack & How It Could Have Been Prevented

March 22, 2021
Close-up of a black keyboard showing Chinese hackers SolarWinds hack
Cyber SecurityNews

Suspected Chinese Hackers Exploit a Different SolarWinds Hack To Compromise USDA’s National Finance Center

February 11, 2021
US flag is depicted on the screen with code showing Russian hackers in SolarWinds hack
Cyber SecurityNews

In Joint Statement, US Intelligence Agencies Pin SolarWinds Hack on Russian Hackers

January 12, 2021
Dam of the Alcantara Swamp showing SolarWinds Hack impact on critical infrastructure
Cyber SecurityNews

SolarWinds Hack Possibly Affected Critical Infrastructure Entities, Federal, State, And Local Government Agencies

January 1, 2021

Latest

Shield Icon against data and network showing zero trust and attack surface

Gartner: Slow Adoption and Expanding Attack Surface; Zero Trust Will Not Stop Over 50% Of Attacks by 2026

Hands holding smartphone using Google Fi service showing T-Mobile data breach

T-Mobile Data Breach Includes Massive Compromise of Google Fi Service, Unknown Quantity of Customer Records Exposed

Data Privacy’s Tipping Point: Where We Go From Here

Hacker using mobile smartphone calling victim showing remote monitoring and management software used in phishing of federal agencies

Hackers Breached Multiple Federal Agencies via Remote Monitoring and Management Software

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Stay Updated

Follow Us

© 2022 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results