FireEye Explains Active Directory Federation Services Nobelium Exploit — Redmondmag.com

New

FireEye Explains Active Directory Federation Services Nobelium Exploit

Security solutions company FireEye on Tuesday described how Active Directory Federation Services (ADFS) could have been exploited to gain access to Microsoft 365 emails during Nobelium (“Solorigate”) attacks used for espionage purposes.

ADFS is a Windows server role that is used to enable single sign-on access to services, such as Exchange Online, which is the messaging service that is part of Microsoft 365 services. Organizations can use ADFS to maintain the process authentication located on their own servers. However, the attackers (identified by the Biden administration as working on behalf of Russia) found a way to exploit ADFS to access Exchange Online messages, a problem that was first detected in December.

The breach, which affected governments and software companies (including FireEye and Microsoft), was initiated by a so-called “supply chain compromise”. The contaminated code was inserted into the SolarWinds Orion management product at the build stage, setting the stage for another injection of attack software. One of the last stages of the attacks used ADFS to access email traffic, although other attack methods were also used.

Fake Golden SAML
FireEye analysis indicated that Microsoft 365 services trust the SAML token from the ADFS server via a token-signing certificate. Attackers who can obtain the token-signing certificate can “generate arbitrary SAML tokens to access any federated application, as any user, and even bypass MFA [multifactor authentication]”, said FireEye. This type of attack is called a “Golden SAML” forgery.

Access to the encrypted token signing certificate is through a policy store forwarding service, but this process can be abused by an attacker, especially if organizations have not taken additional steps to secure ADFS servers.

Here is how FireEye explained this point:

A malicious actor can abuse the Policy Store Forwarding Service to acquire the encrypted token-signing certificate over the network, similar to the DCSync technique for Active Directory. It is important to note that the data is always encrypted and requires the DKM key stored in Active Directory to be decrypted. This technique, however, requires a significant change in how defenders secured AD FS servers and monitored them for token-signing certificate theft.

Organizations will need “a robust defense-in-depth program using secure credential management, EDR, and network segmentation” to make it “very difficult for a malicious actor to gain access to a AD FS server and token-signing certificate,” according to FireEye’s analysis. The default ADFS installation allows access to “HTTP traffic from any system” and any local administrator account on the ADFS server can then be leveraged for access.

Mitigation tips
Organizations using ADFS should add the following protections, according to FireEye:

• Use Windows Firewall “to restrict access to TCP port 80 to only AD FS servers in the farm”.
• Single ADFS server users can simply block port 80, as port 443 is used for authentication.
• Inbound communications can be restricted by making certain changes to the firewall configuration.
• Alerts can be set for Policy Store Transfer Service HTTP POST requests to detect this type of attack behavior.

Microsoft has not said ADFS is insecure and recently claimed in Senate testimony that the SAML token tampering approach was just adopted by Nobelium attackers 15% of the time. Other observers, including security solutions company CrowdStrike, have called this Golden SAML attack avenue an “architectural limitation” of Active Directory.

Defending against supply chain attacks is difficult because organizations use trusted software. Nevertheless, a guide on how to defend against them was recently published jointly by the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology, as described in this recent announcement.