Attacks Targeting ADFS Token Signing Certificates Could Become Next Big Threat

Attacks Targeting ADFS Token Signing Certificates Could Become Next Big Threat
New research shows how threat actors can steal and decrypt signing certificates so SAML tokens can be forged.

Conventional access control and detection mechanisms alone are no longer sufficient to protect enterprise Active Directory Federation Services (ADFS) environments against targeted attacks.

With organizations increasingly adopting cloud services, threat actors have begun focusing on ADFS as an avenue to gain and maintain long-term access on Microsoft 365 and other cloud-based services environments, according to a new FireEye Mandiant report, out Tuesday.

"[ADFS] is the linchpin that ties together the corporate network with various cloud services like Microsoft 365," says Doug Bienstock, manager at Mandiant. "As more organizations move to the cloud, ADFS and its analogs will increasingly be targeted."

Mandiant's report highlights a previously unknown method for stealing and decrypting a digital signing certificate from an ADFS server so it can be used to forge SAML tokens for accessing an organization's cloud services accounts as any user, at any time, without authentication.

The notion of attackers using forged SAML tokens to freely access enterprise resources on-premises and in the cloud is not new. CloudArk first described the technique, which it dubbed "Golden SAML," back in 2017. The SolarWinds attack disclosed last December marked the first time a threat actor was observed actually using the technique to bypass authentication mechanisms — including multifactor — to gain access to an enterprise cloud services environment.

Mandiant's tactic takes advantage of the fundamental process by which ADFS enables federated identity and access management in enterprise environments. To enable single sign-on acce ..

Support the originator by clicking the read the rest link below.