IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers could abuse legitimate Windows AD FS to steal data

The flaw in Microsoft authentication servers could enable threat actors to perform a Golden SAML attack

Security researchers have warned that hackers could easily abuse a Windows service to steal data from any organization using Active Directory in their network.

According to FireEye, the new attack could give hackers another way to take over Microsoft 365 accounts via a flaw in Active Directory Federated Services (AD FS). The attack echoes the recent SolarWinds attack.

AD FS is a feature for Windows Servers that enables federated identity and access management. Organizations often use it to provide single sign-on functionality to access enterprise applications such as Microsoft 365.

Hackers could spoof one AD FS server communicating to another AD FS to obtain its keys. The attack is not dissimilar to a Golden SAML attack that CyberArk coined in 2017. In that type of attack, hackers can access any application supporting SAML authentication with any privileges and be any user on the targeted application.

In the new attack, hackers could abuse the Policy Store Transfer Service to acquire the encrypted Token Signing Certificate over the network.

With previous techniques, hackers needed to execute remote code on an AD FS server to extract the data or at least an SMB connection to transfer the backing database files. The new attack requires only access to the AD FS server over the standard HTTP port. The default AD FS installation will create a Windows Firewall rule to allow HTTP traffic from any system.

“Additionally, a threat actor does not need the credentials for the AD FS service account and can instead use any account that is a local administrator on an AD FS server. Lastly, there is no Event Log message that is recorded when a replication event occurs on an AD FS server. Altogether, this makes the technique both much easier to execute and much harder to detect,” said Doug Bienstock, IR Manager at FireEye.

Bienstock said the authorization policy itself also presents an opportunity for abuse. Because the authorization policy is stored as XML text in the configuration database, a threat actor with enough access could modify it to be more permissive.

Related Resource

NETSCOUT threat intelligence report

Cyber crime: Exploiting a pandemic

Threat intelligence report - whitepaper from NETSCOUTDownload now

“A threat actor could modify the Authorization Policy to include a group SID such as domain users, S-1-5-21-X-513. Similarly, they could add an ACE to the DKM key container in Active Directory. This would allow the threat actor to easily obtain the Token Signing Certificate and decrypt it using any domain user credentials. This would give them persistent ability to perform a Golden SAML attack with only access to the network as a requirement,” Bienstock said.

While the attack has not yet been observed in the wild, writing a proof of concept would be trivial, according to Bienstock.

Researchers said the best mitigation against this technique is to use the Windows Firewall to restrict access to port 80 TCP to only the AD FS servers in the farm.

“If an organization has only a single AD FS server, then port 80 TCP can be blocked completely. This block can be put in place because all traffic to and from AD FS servers and proxies for user authentication is over port 443 TCP,” said Bienstock.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft silent patches called “a grossly irresponsible policy”
cyber security

Microsoft silent patches called “a grossly irresponsible policy”

15 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022