Exploring the Golden SAML Attack Against ADFS

In December 2020 news broke of FireEye suffering a breach. This shocked the world as FireEye is looked at as one organization that identifies APTs and shows how these groups compromise unsuspecting targets. To think that FireEye themselves be victim meant that everyone else had no chance. In fact, that turned out to be mostly true. Shortly thereafter we learned about the SolarWinds compromise, and the world scrambled. It was bad – really bad.

As more information was revealed we learned that the attackers behind this very large compromise had several objectives. One such objective involved gaining access to the cloud infrastructure of their victims. One attack avenue that seemed to have some mileage involved going after on-premises federated identity provider services with the intent to steal cryptographic keys from Active Directory Federated Services (ADFSs).

A similar attack was first documented by CyberArk Labs in 2017. They demonstrated how an attacker can bypass authentication checks by spoofing the SAML response and signing it with a stolen signing certificate to gain access to an Amazon Web Service account. CyberArk Labs also released a tool, called ‘Shimit’ [4] that demonstrated this. In 2019 Douglas Bienstock and Austin Bake of Mandiant built on this idea with their Troopers 19 presentation where they demonstrated how to achieve a similar result by targeting Microsoft ADFS. They also release two tools ADFSDump and ADFSpoof.

ADFS is used by businesses to improve user experience regarding authentication and access management. It is very likely that staff is exposed to several applications that each require authentication. If there are, for example, 5 systems then employees will need 5 separate sets of credentials, but in reality, staff will most likely reuse their existing password 5 times. Also, this will require staff in this example to potentially log in up to 5 times in a single day. This is cumbersome and will result in staff taking shortcuts, thus weakening security overall.

ADFS enables businesses to implement on-premise Single-Sign-On as this is a feature that can be enabled for Microsoft’s Windows Server.  ADFS enables a business to proxy the authentication process by interfacing with various identity stores, with Microsoft Active Directory being a common use case. ADFS supports open standards such as the Security Assertion Markup Language 2.0 (SAML 2.0) and Web Services Federation Protocol or WS-Fed. Other authentication protocols such as OAuth 2.0 and OpenID Connect are also supported. This allows ADFS to be used as a common junction for authentication with any web application that is compatible with these authentication schemes.

Many businesses started before cloud computing was born or before it was as prominent as it is now. This means these businesses have substantial hardware and software estates that they are responsible for. Many businesses have a cloud adoption strategy, and this could be a partial or full migration. In December 2020 Deloitte referred to an IDC estimate that claims that more than 90 percent of global enterprise will rely on a hybrid cloud strategy by 2022, meaning that parts of business infrastructure still reside on-premises while specific aspects will run on some form of cloud infrastructure. Gartner predicted that 2021 would see an 18 percent growth totaling $304.9 billion in public cloud end-user spending.

Microsoft is an important vendor for many businesses and even governments. Statista lists Microsoft as having 47.5 percent of the productivity software worldwide as of May 2021. Similarly, Statista also lists Microsoft as having just over 71 percent of the desktop market for the period 2012 through 2021. There is a good chance that businesses that already committed a significant number of resources to the Microsoft tech stack have also adopted Microsoft’s Azure and Microsoft 365 cloud offerings. Microsoft also made it easy for existing clients to move parts of their critical on-premises infrastructures, such as Active Directory to Microsoft Azure. This all plays nicely into enabling Microsoft 365, previously known as Office 365.

The SolarWinds attackers knew that several of their potential targets were storing information in the cloud, and it would be less hassle to compromise the on-premises solutions and then pivot to the cloud, than trying to hack into Microsoft Azure blind. Simply put, it is far easier to log in than to hack into cloud services.

Starting with the assumption that an attacker has already breached a network and managed to extract the full Active Directory of the organization, meaning they have all the accounts and associated cryptographic details (hashes) of the target business. This alone is not necessarily enough for our attacker to pivot to the cloud. The attacker must still manage to crack the hashes to uncover passwords for some key accounts and then they might also face multi-factor authentication (MFA) challenges. This approach seems less than optimal when compared to a strategy that will guarantee access without having to know the password or be concerned with hurdles such as MFA.

These attackers have done their homework and knew of services such as ADFS that could open many doors for them. A benefit of compromising a federated identity provider such as ADFS is that it potentially can give you access to other services, not just Microsoft 365 or Azure. Any trusted relationship between ADFS and other services such as Amazon Web Services, SAP Enterprise Portal, SalesForce, ServiceNow, bespoke business-to-business or business-to-government applications that user federated identity services come into scope.

Once on the internal network, an attacker can determine if there are any ADFS installations and proceed to access these with the intent to extract sensitive information from those hosts. Hosts running ADFS is just a Windows Server. If the attacker dumped the target organization’s Active Directory, then getting onto an ADFS host is not so difficult but would still leave footprints when they interact with services on this host.

The attacker needs to extract two pieces of cryptographic material. The first piece is the X509 token signing certificate used by the ADFS server to prove its authenticity to the peer application that asked it to authenticate the user. The second piece is the private key that will unlock the encrypted token signing certificate stored in the Distributed Key Management service associated with the ADFS’ service account. With this information, the attacker can spoof authentication responses without even having to know the password or require access to a paired MFA token.

This is all possible because of the way the authentication mechanism works. There exists a trusted relationship between ADFS and the application that deferred the authentication to the ADFS, the latter referred to as the Relying Party in Microsoft parlance. The workflow involves a user wanting to gain access to a specific application that has a Relying Party trust established with the domain associated with an ADFS. When the application determines that it is not responsible for the authentication of a specific user it redirects the user to the respective identity provider or ADFS in this case. This process is asynchronous, meaning that the application redirects the user to the applicable ADFS server and the application forgets about that user. It is now the responsibility of the applicable ADFS to verify the identity of the user. The Relying Party has no role to play during this process. The Relying Party or application comes back into scope once the respective ADFS server has decided the outcome of the authentication process. At this stage, it is important for the application to verify the authenticity of the response from the ADFS. This is done using the exchanged public certificate it obtained when the trust relationship was established initially. The application trusts that the ADFS did its part to verify the users’ credentials and enforced the MFA interaction if any. If an attacker managed to spoof the response, then that application will be none the wiser.