FireEye CEO Kevin Mandia testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. FireEye owns Mandiant, founded by Mandia, which released research Tuesday about the need to lock down Active Directory Federation Services. (Photo by Drew Angerer/Getty Images)
Mandiant Tuesday posted a blog detailing a new attack strategy against Microsoft’s Active Directory Federation Services (AD FS). Researchers with the company believe the need to protect AD FS might be the unheralded second lesson from the SolarWinds campaign.
The main lesson organizations drew from the SolarWinds campaign was the need to protect against third-party risk and address supply chain security. Hackers that the United States linked to Russian Intelligence used a gimmicked update to the SolarWinds IT management software and other vectors to take over a variety of government agencies and private organizations.
Learn SAML: The Language You Don t Know You re Already Speaking
Security Assertion Markup Language, a protocol most people use daily to log into applications, makes authentication easier for both admins and users. Here s what you need to know about SAML (and what it has to do with GoldenSAML ).
Security Assertion Markup Language (SAML): You may have heard of it. You ve likely used it at least once today to log into a website portal or enterprise application. But what is SAML? How does it work? And why do you need to know about it?
(Source: Mykyta via Adobe Stock)
What Is SAML?
VMware Flaw Used To Hit Choice Targets In SolarWinds Hack: Report
A VMware vulnerability that allowed federated authentication abuse was used by the SolarWinds hackers to attack valuable targets, KrebsOnSecurity said. VMware said it didn’t have any indication of this happening. By Michael Novinson December 18, 2020, 03:52 PM EST
A VMware vulnerability that allowed access to protected data and federated authentication abuse was used by the SolarWinds hackers to attack high-value targets, KrebsOnSecurity reported.
The U.S. National Security Agency (NSA) warned on Dec. 7 that a flaw in the software of Palo Alto, Calif.-based VMware was being used by Russian hackers to impersonate legitimate users on breached networks. In order to exploit this vulnerability, the NSA said hackers would need to be on the target’s internal network, which KrebsOnSecurity pointed out would have been the case in the SolarWinds hack.
December 18, 2020
U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform
VMware, which the
U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks.
On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in
VMware Access and
VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”