FireEye explains the Nobelium exploit of Active Directory Federation Services
Security solutions company FireEye on Tuesday described how Active Directory Federation Services (ADFS) could have been exploited to access Microsoft 365 emails during Nobelium (“Solorigate”) attacks used for espionage.
ADFS is a Windows server role used to enable single sign-on access to services, such as Exchange Online, which is the mail service that is part of Microsoft 365 services. Organizations can use ADFS to keep the process going. localized authentication on their own servers. However, the attackers (identified by the Biden administration as working on behalf of Russia) found a way to exploit ADFS to access Exchange Online messages, an issue that was first detected in December.
The breach, which has affected governments and software companies (including FireEye and Microsoft), was initiated through a “supply chain compromise.” Contaminated code was inserted into the SolarWinds Orion management product at the build stage, paving the way for further injection of attack software. One of the last stages of the attacks used ADFS to access mail traffic, although other attack methods were also used.
Golden SAML counterfeit
FireEye analysis indicated that Microsoft 365 services trust the SAML token from the AD FS server through a token signing certificate. Attackers who can get their hands on the token signing certificate can “generate arbitrary SAML tokens to access any federated application, like any user, and even bypass the MFA [multifactor authentication]This type of attack is called “Golden SAML” forgery.
Access to the encrypted token signing certificate is through a policy store forwarding service, but this process can be abused by an attacker, especially if organizations have not taken additional steps to secure AD FS servers. .
Here’s how FireEye explained this point:
A malicious actor can abuse the Policy Store Transfer Service to acquire the encrypted token signing certificate over the network, similar to the DCSync technique for Active Directory. It is important to note that the data is always encrypted and requires the DKM key stored in Active Directory to be decrypted. This technique, however, requires a significant change in the way advocates secured AD FS servers and monitored them for theft of the token signing certificate.
Organizations will need “a strong defense-in-depth program using secure credentials management, EDR, and network segmentation” to make “very difficult for a malicious actor to access an AD FS server. and the token signing certificate, ”according to FireEye analysis. The default ADFS installation allows access to “HTTP traffic from any system” and any local administrator account on the ADFS server can then be used for access.
Organizations using ADFS should add the following protections, according to FireEye:
- Use Windows Firewall “to restrict access to port 80 TCP to only AD FS servers in the farm”.
- Users of single AD FS servers can simply block port 80, as port 443 is used for authentication.
- Incoming communications can be limited by making changes to the firewall configuration.
- Alerts can be set for HTTP POST requests from the Policy Store Transfer service to detect this type of attack behavior.
Microsoft did not say that ADFS is insecure and recently claimed in Senate testimony that the SAML token tampering approach had just been taken by Nobelium attackers 15% of the time. Other observers, including security company CrowdStrike, have called this Golden SAML attack avenue an “architectural limitation” of Active Directory.
It is difficult to defend against supply chain attacks because organizations use trusted software. Nonetheless, a guide on how to defend against them was recently published jointly by the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology, as described in this recent announcement.
Kurt Mackie is Senior News Producer for 1105 Media’s Converge360 Group.