The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed “Golden SAML,”
The Golden SAML technique involves the attackers first gaining administrative access to an organization’s ADFS server and stealing the necessary private key and signing certificate.
When a user at the victim organization attempts to access a federated service such as AWS or Microsoft 365, the service redirects the request to ADFS for authentication. Normally, the user would authenticate with ADFS, and ADFS would return a signed SAML response or token to the app or federated service via the user system. The app or federated service would check the response and allows the user to log in.
In a Golden SAML attack, when the user attempts to access a service and when the service redirects the request to ADFS for authentication, the attacker would forge a SAML response using the stolen key to gain unauthorized access. The attack vector allows adversaries to gain access to critical and infrastructure without requiring any additional access on the victim environment.
Attackers will continue to have that access until the ADFS private key is invalidated and replaced a task that would require altering or terminating connectivity to all federated systems.
An advanced persistent threat (APT) group called Dark Halo based in Russia, breached SolarWinds’ software build system and injected a backdoor called Sunburst into updates of the company’s Orion network management software.
The updates were sent out to some 33,000 organizations worldwide, about 18,000 of which installed it on their systems. With a small subset of those organizations, the attackers used the Sunburst Trojan to download other malware for stealing data and conducting other forms of cyber espionage.