NSA, CISA warn of attacks on federated authentication

While incident responders focus on attacks using SolarWinds Orion, government cyber defenders highlight other methods likely being used as well.

An attacker-modified update to the SolarWinds Orion network management product that compromised thousands of companies and government agencies is likely not the only way Russian attackers infiltrated networks, according to the US Cybersecurity and Infrastructure Security Agency (CISA) in an update over the weekend.

In an updated alert about the recent cyber-espionage attacks against government agencies and private-sector companies, CISA noted on Dec. 18 that the attackers appear to have used other vectors of attacks outside of the SolarWinds Orion platform. On Dec. 21, the agency pointed to an advisory published the previous week by the National Security Agency, which warned that attackers were stealing private keys for single sign-on (SSO) infrastructure to bypass two-factor authentication.

The NSA pointed to a Dec. 7 warning that Russian state-sponsored actors had exploited a vulnerability in VMware Access and VMware Identify Manager products to gain access to protected data. CISA did not name VMware but cited the issue in similar language.

“Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” the agency stated in its updated advisory.

To read the complete article, visit Dark Reading.