An investigation by inversecos, an IR consultant for Secureworks, confirms that APT groups are still using the Golden SAML attack to bypass authentication controls and access Office 365 environments. Most of the victims either have a hybrid authentication model or are completely in the cloud.
Compromising the AD FS (Active Directory Federation Services) server token-signing certificate could result in access to the Azure/Office365 environment. Certificates are valid for one year by default, which allows threat actors to maintain persistence and re-enter Azure/Office365 environments as any user within AD regardless of any password resets or multi-factor authentication.
The attack flow is as follows:
Step 1. Attacker compromises the on-premise domain
Step 2. Enumeration
Step 3. Gather the credentials for AD FS process owner account
Step 4. Laterally move to AD FS server
Step 5. Obtain the token-signing certificate from the AD FS server
Step 6. Obtain the DKM (Distributed Key Manager) in order to decrypt
Step 7. Decrypt the token-signing certificate
Step 8. Generate a SAML token
Re-issuing certificates on the AD FS will void the stolen SAML token and ensure that the copy of the stolen certificate will not still be cached in the Azure active directory. Forced reauthentication of all users ensures that all users will have to login with the new SAML tokens and void any potentially malicious logins. Using security solutions to detect intrusions and attacker activity targeting the AD FS server is an important first step to protect the token signing certificate from being stolen. It is critical to have a Security Operations Center, whether staffed internally or through a managed security provider, to recognize attacks against AD FS quickly and respond proactively.