Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/22/2020
06:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

SolarWinds Campaign Focuses Attention on 'Golden SAML' Attack Vector

Adversaries that successfully execute attack can achieve persistent anytime, anywhere access to a victim network, security researchers say.

The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed "Golden SAML," which cybersecurity vendor CyberArk first warned about in 2017.

The attack gives threat actors a way to maintain persistent access to all of an enterprise's ADFS federated services. This includes hosted email services, file storage services such as SharePoint, and hosted business intelligence apps, time-card systems, and travel systems, according to a blog post from Israel-based Sygnia. The attention that the SolarWinds campaign has drawn to the attack technique significantly raises the likelihood of adversaries leveraging it in future attacks, Sygnia said. "It is therefore highly advised that organizations move swiftly in taking the necessary steps to protect their [single sign-on] infrastructure and establish effective monitoring to detect and respond to such attacks."

Related Content:

NSA, CISA Warn of Attacks on Federated Authentication

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 5 Email Threat Predictions for 2021

According to Sygnia, the Golden SAML technique involves the attackers first gaining administrative access to an organization's ADFS server and stealing the necessary private key and signing certificate.

When a user at the victim organization attempts to access a federated service such as AWS or Microsoft 365, the service redirects the request to ADFS for authentication. Normally, the user would authenticate with ADFS, and ADFS would return a signed SAML response or token to the app or federated service via the user system. The app or federated service would check the response and allows the user to log in.

In a Golden SAML attack, when the user attempts to access a service and when the service redirects the request to ADFS for authentication, the attacker would forge a SAML response using the stolen key to gain unauthorized access. The attack vector allows adversaries to gain access to critical and infrastructure without requiring any additional access on the victim environment. Importantly, attackers will continue to have that access until the ADFS private key is invalidated and replaced — a task that would require altering or terminating connectivity to all federated systems, according to Sygnia.

Arie Zilberstein, vice president of incident response at Sygnia, says ADFS servers are considered "tier-zero" infrastructure and are therefore usually well protected, requiring high privileges for access. "However, the threat actors in this case had a major advantage — the attack originated from SolarWinds," he says. "As SolarWinds Orion is an IT monitoring solution, it usually has access to high-privileged accounts and most servers in any environment, including ADFS."

Zilberstein says the threat actors used Golden SAML in the post-exploitation phase after compromising the internal network and getting access to the ADFS environment on target victim networks. The goal was to establish persistent access to critical resources such as Microsoft 365. Stealing the signing certificate and private key from the ADFS servers gave the attackers anytime, anywhere access to the victim network regardless of additional access to the environment, he says.

An advanced persistent threat (APT) group called Dark Halo (aka UNC2452), believed to be based in Russia, breached SolarWinds' software build system and injected a backdoor called Sunburst into updates of the company's Orion network management software. The updates were sent out to some 33,000 organizations worldwide, about 18,000 of which installed it on their systems. With a small subset of those organizations, the attackers used the Sunburst Trojan to download other malware for stealing data and conducting other forms of cyber espionage. A majority of the victims are believed to be technology companies, government organizations, contractors, and think tanks. Among the known victims are the US Treasury Department, Microsoft, and security vendor FireEye.

SolarWinds has said the attackers managed to poison Orion software updates that the company pushed out between March and June 2020. However, SecurityScorecard says its investigation shows evidence of a Trojanized backdoor in SolarWinds products as far back as October 2019, which means the breach was undetected for a significantly longer time than previously reported.

Initially, it was believed that SolarWinds' Orion platform was the only initial access vector. However, late last week, the US Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warned that it had evidence the APT group behind the SolarWinds attack had gained access to some networks using other methods than the tainted updates.

The CISA, National Security Agency, and Microsoft also warned about the attackers bypassing multifactor authentication (MFA) on victim networks by stealing private keys for single sign-on and forging SAML tokens. In a rare emergency directive, the CISA said one of the ways the adversary was gathering information from victim networks after it had gained initial was by gaining privileged access to Active Directory environments, compromising the SAML signing certificate, and then creating unauthorized authentication tokens for accessing federated services.

The CISA has instructed all federal civilian agencies to disconnect their SolarWinds instances and not install any of the patches the company has issued, until further notice. It has also warned all federal civilian agencies not to configure SolarWinds software to implement SAML-based authentication using ADFS. "This configuration is currently being exploited by the threat actor associated with this activity," the CISA noted in its advisory.

CyberArk, which in 2017 released a tool that demonstrates how the attack works, has described Golden SAML as an attack vector that gives adversaries a way to gain persistent access with any privileges they desire to any application that supports SAML authentication, including AWS and Azure.

The vendor has stressed that the attack vector does not rely on a security bug in SAML or with ADFS or any identity provider. Since it is an adversary with administrative access to the authentication environment that executes the attack, defenders can have a very difficult time spotting them, the security vendor has noted.

"I do think this tactic will become more commonly used," says Shaked Reiner, principal cyber researcher at CyberArk Labs. "With more and more services being ported to the cloud, SAML has become the de facto authentication standard to establish trust between the cloud and on-premises services."

Instead of settling on getting the domain's Kerberos local default account and forging any identity within that domain, attackers can steal the SAML token signing certificate and forge almost any identity across the entire organization. "After getting this certificate, it's a matter of signing a token for whatever identity the attackers desire, which is a rather easy process," Reiner says.

The attack vector is problematic for defenders because it makes the use of MFA obsolete. Since users get a valid SAML token only after they've authenticated using MFA, attackers using Golden SAML can simply bypass that stage entirely, he says. "It allows them to go straight to forging an identity using the stolen certificate, without having to know the user password or have other authentication factors." Attackers can grant themselves any identity and permission they desire, he says.

"No changes in users' credentials can help remediate this attack vector," Reiner notes. "Once attackers get a hold of the organization's SAML token signing certificate, this certificate must be changed in order to completely revoke the attackers' ability to use a Golden SAML."

In its blog post, Sygnia described some measures that organizations can take to detect a Golden SAML attack. The detection measures are targeted at organizations with an on-premises ADFS environment. They include correlating login events with corresponding ADFS authentication events and identifying events involving the export of signing certificate from the ADFS server.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...