News

FireEye Explains Nobelium Exploit of Active Directory Federation Services

• By Kurt Mackie
• 04/28/2021

Security solutions firm FireEye on Tuesday described how Active Directory Federation Services (ADFS) could have been exploited to gain access to Microsoft 365 e-mails during the Nobelium ("Solorigate") attacks used for espionage purposes.

ADFS is a Window Server role that's used to enable single sign-on access to services, such as Exchange Online, which is the e-mail service that's part of Microsoft 365 services. Organizations may use ADFS to keep the authentication process localized on their own servers. However, attackers (identified by the Biden administration as working on behalf of Russia) found a way to leverage ADFS to gain access to Exchange Online messages, a problem that was first detected in December.

The breach, which affected governments and software companies (including FireEye and Microsoft), was initiated through a so-called "supply-chain compromise." Tainted code was inserted into SolarWinds Orion management product at the build stage, setting the stage for further injection of attack software. One of the later stages of the attacks leveraged ADFS to gain access e-mail traffic, although other attack methods were used, too.

Golden SAML Forgery
FireEye's analysis indicated that Microsoft 365 services trusts the SAML token that comes from the ADFS server via a Token Signing Certificate. Attackers that can get hold of the Token Signing Certificate can "generate arbitrary SAML tokens to access any federated application, as any user, and even bypass MFA [multifactor authentication]," FireEye indicated. This sort of attack is referred to as a "Golden SAML" forgery.

Access to the encrypted Token Signing Certificate happens via a Policy Store Transfer Service, but this process can be abused by an attacker, especially if organizations haven't taken some extra steps to secure ADFS servers.

Here's how FireEye explained that point:

A threat actor can abuse the Policy Store Transfer Service to acquire the encrypted Token Signing Certificate over the network, similar to the DCSync technique for Active Directory. It is important to note that the data is still encrypted and requires the DKM key stored in Active Directory to decrypt. This technique, however, requires a significant change to how defenders have secured AD FS servers and monitored them for theft of the Token Signing Certificate.

Organizations will need "a strong defense in depth program using secure credential management, EDR, and network segmentation" to make it "very difficult for a threat actor to access an AD FS server and the Token Signing Certificate," FireEye's analysis contended. The default ADFS installation permits access to "HTTP traffic from any system" and any local administrator account on the ADFS server can then be leveraged for access.

Mitigation Advice
Organizations using ADFS should add the following protections, according to FireEye:

• Use the Windows Firewall "to restrict access to port 80 TCP to only the AD FS servers in the farm."
• Users of single ADFS servers can just block port 80, since port 443 gets used for authentication.
• Inbound communications can be limited by making some firewall configuration changes.
• Alerts can be set for Policy Store Transfer service HTTP POST requests to detect this sort of attack behavior.

Microsoft hasn't said that ADFS is insecure and recently claimed in Senate testimony that the SAML token forgery approach was just adopted by the Nobelium attackers 15 percent of the time. Other observers, notably from security solutions firm CrowdStrike, have referred to this Golden SAML attack avenue as an Active Directory "architectural limitation."

Supply-chain attacks are difficult to defend against since organizations are running trusted software. Nonetheless, a guide on how to defend against them was recently jointly published by Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology, as described in this recent announcement.