The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed "Golden SAML," which cybersecurity vendor CyberArk first warned about in 2017.
The attack gives threat actors a way to maintain persistent access to all of an enterprise's ADFS federated services. This includes hosted email services, file storage services such as SharePoint, and hosted business intelligence apps, time-card systems, and travel systems, according to a blog post from Israel-based Sygnia. The attention that the SolarWinds campaign has drawn to the attack technique significantly raises the likelihood of adversaries leveraging it in future attacks, Sygnia said. "It is therefore highly advised that organizations move swiftly in taking the necessary steps to protect their [single sign-on] infrastructure and establish effective monitoring to detect and respond to such attacks."
According to Sygnia, the Golden SAML technique involves the attackers first gaining administrative access to an organization's ADFS server and stealing the necessary private key and signing certificate.
When a user at the victim organization attempts to access a federated service such as AWS or Microsoft 365, the service redirects the request to ADFS for authentication. Normally, the user would authenticate with ADFS, and ADFS would return a signed SAML response or token to the app or federated service via the user system. The app or federated service would check the response and allows the user to log in.
In a Golden SAML attack, when the user attempts to access a service and when the service redirects the request to ADFS ..
Support the originator by clicking the read the rest link below.
