The U.S. National Security Agency has issued a warning that hackers are forging cloud authentication information to gain access to secure systems.

In a Dec. 17 cybersecurity advisory titled “Detecting Abuse of Authentication Mechanisms,” the NSA gave guidance to the National Security System, Department of Defense and Defense Industrial Base network administrators. The goal is to detect and mitigate against malicious actors who are manipulating trust in federated authentication environments to access protected data in the cloud.

The warning specifically references CVE 2020-4006, a command injection vulnerability discovered in November that affected VMware Inc.’s Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector.

According to the NSA, the vulnerability is being exploited to forge credentials to gain access to protected files and is being exploited by state-sponsored actors.

Given that it could turn out to be the largest compromise of all time, the NSA references the SolarWinds hack, noting that it is “one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access.”

The NSA recommends that those using VMware and other forms of software should harden and monitor systems that run local identity and federation services, lock down tenant single-sign-on configuration in the cloud and monitor for indicators of compromise.

“The risk of third-party applications has always been a concern for security teams,” Brendan O’Connor, chief executive officer and co-founder of security posture management platform company AppOmni Inc., told SiliconANGLE. “The SolarWinds breach is an example of a third-party application inserting a vulnerability into an otherwise secure infrastructure. While the SolarWinds breach occurred in an on-premise environment, third-party apps can also create vulnerabilities in software-as-a-service environments.”

The issue, he added, is that because of the nature of these third party connections, they’re frequently approved by individual users without any security oversight. “While these applications may be quite useful, they are hidden pathways into an organization’s most sensitive data,” he said. “These cloud-to-cloud connections exist outside the firewall and cannot be detected by traditional scanning and monitoring tools.”

Chris Henson, technical director of Space and Weapons Cybersecurity Solutions at the NSA, spoke to John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio in October, discussing the current U.S. national cybersecurity strategy.

Image: NSA