Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
09:00 AM
Connect Directly

Attacks Targeting ADFS Token Signing Certificates Could Become Next Big Threat

New research shows how threat actors can steal and decrypt signing certificates so SAML tokens can be forged.

Conventional access control and detection mechanisms alone are no longer sufficient to protect enterprise Active Directory Federation Services (ADFS) environments against targeted attacks.

With organizations increasingly adopting cloud services, threat actors have begun focusing on ADFS as an avenue to gain and maintain long-term access on Microsoft 365 and other cloud-based services environments, according to a new FireEye Mandiant report, out Tuesday.

Related Content:

SolarWinds Campaign Focuses Attention on 'Golden SAML' Attack Vector

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

"[ADFS] is the linchpin that ties together the corporate network with various cloud services like Microsoft 365," says Doug Bienstock, manager at Mandiant. "As more organizations move to the cloud, ADFS and its analogs will increasingly be targeted."

Mandiant's report highlights a previously unknown method for stealing and decrypting a digital signing certificate from an ADFS server so it can be used to forge SAML tokens for accessing an organization's cloud services accounts as any user, at any time, without authentication.

The notion of attackers using forged SAML tokens to freely access enterprise resources on-premises and in the cloud is not new. CyberArk first described the technique, which it dubbed "Golden SAML," back in 2017. The SolarWinds attack disclosed last December marked the first time a threat actor was observed actually using the technique to bypass authentication mechanisms — including multifactor — to gain access to an enterprise cloud services environment.

Mandiant's tactic takes advantage of the fundamental process by which ADFS enables federated identity and access management in enterprise environments. To enable single sign-on access to enterprise apps on-premises and in the cloud, ADFS first verifies a user's identity using Active Directory and then issues SAML tokens containing digitally signed assertions that describe the user. Applications such as Microsoft 365 use the tokens to authorize the appropriate level of access to users.

"The Token Signing Certificate is the bedrock of security in ADFS," Bienstock writes in Mandiant's report. "Microsoft 365 uses the digital signature to validate that the SAML token is authentic, valid, and comes from an ADFS server that it trusts."

Stealing the tokens can be relatively difficult in default ADFS configurations where the token signing certificate is stored in encrypted form in a tightly restricted internal Windows database on the ADFS server. Controls such as secure credential management, network segmentation, and EDR can all hamper an attacker's ability to access an ADFS server and the token signing certificate.

However, the situation is different in environments where multiple ADFS servers have been deployed for load-balancing and high-availability purposes. The multiple individual ADFS nodes in these so-called farm configurations use a replication service to share and sync configuration info and certificates from the primary server.  

The whole process by which this happens gives attackers an opening to steal the token signing certificate simply by accessing the ADFS server over the standard HTTP port and decrypting it using any domain user credentials. "This would give them persistent ability to perform a Golden SAML attack with only access to the network as a requirement," Bienstock states in the report. Because ADFS replication events are not logged, the technique is hard to detect.

"This technique will work in environments that are actually configured as a farm as well as in ones where there is only a single ADFS server for the entire organization," he says.

Typically, when organizations use multiple ADFS servers, the servers share the same token signing certificate. But even when individual ADFS servers in a farm are configured to use unique token signing certificates, Mandiant's method for stealing and decrypting them should work, Bienstock says. "This is untested, but it should still work," he says. "In those cases, the threat actor would extract one particular token signing certificate" and use it to access applications.

To defend against the threat, security administrators need to ensure that only ADFS servers in the farm have access to port 80 TCP. They also need to implement specific measures for limiting inbound communications and monitoring the internal network for specific activity, according to the report, which contains specific mitigation measures for administrators.

Bienstock says that just because there are no public reports — other than SolarWinds — of attackers using the Golden SAML technique doesn't mean there haven't been any previously. "We always say the absence of evidence is not evidence of absence," he says.

"This technique is particularly difficult to detect," he adds. "That is why we want to make sure defenders are aware of it and aware of the mitigations to take to prevent this technique from being successful in the first place."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file