A group of APTs recently targeted a victim’s Office365 environment Active Directory server extorting secret SAML tokens. These tokens pass information about users, logins, and attributes between the identity and the service providers.
What has happened?
Researchers found that the threat group targeted the Office 365 environment that is believed to have a hybrid authentication model configured or fully functional on a cloud network.
The threat actor hijacked the AD FS server probably using stolen credentials and gained access to the server exploiting the SAML token.
The attackers specifically targeted the token signing certificates and private keys used to indicate SAML tokens, within the servers. This certificate has a default validity of one year.
Allows cybercriminals to log into Azure or Office365 as any existing user within AD, regardless of any password reset or MFA requirement.
A hot target for a reason.
Attackers can access Azure / Azure AD, Office365, Azure Applications, and Defender Security Center by abusing the Golden SAML token.
Attackers can filter database files using proxy logs, NetFlow, EDR, and command line parsing. They can perform lateral ADFS movements through the PTH attack.
They can use credential dump tools through the command line registry in the Sysmon or EDR tools. Furthermore, they can perform DKM access using Powershell and also spoof SAML requests.
The recent attack is tricky and is carried out with the aim of getting the token signing certificate to gain access to a specific target network. Therefore, experts suggest implementing additional layers of protection for SAML certificates and, in case of compromise, reissuing certificates in ADFS twice and force re-authentication for all users.
Author: Cyware Alerts – Hacker News