Tryfonov - stock.adobe.com

CrowdStrike breaks down 'Golden SAML' attack

The nightmare scenario, demonstrated at RSA Conference 2021, was used by threat actors in the SolarWinds breach and gave them control over both cloud and on-premises systems.

Security vendor CrowdStrike gave RSA Conference attendees a peek into the inner workings of the infamous "Golden SAML" attack technique.

Blamed for a number of high-profile breaches, including the supply chain infection at SolarWinds and a series of other infiltrations attributed to state-sponsored groups in Russia, a successful Golden SAML heist will result in attackers gaining complete control over both local and cloud systems.

During the brief keynote demo, CrowdStrike CTO Michael Sentonas explained that, by lifting the Security Assertion Markup Language (SAML) token for a single administrator account, an attacker would be able to move laterally through a company's network and not only gain control of local network systems, but also access cloud instances with multifactor authentication checks in place.

While the Golden SAML technique has been known of for several years -- researchers at security vendor CyberArk first developed it in 2017 -- and theorized as far back as the late 1990s, it has only recently come to the public attention, thanks to the SolarWinds incident and subsequent congressional testimony from CrowdStrike CEO George Kurtz and others.

"It showed your on-premises issues don't stay on premise when you move to the cloud," Sentonas said. "It showed that an attack on premise could lead to a compromise in the cloud and other cloud applications."

During a Thursday keynote session at RSA Conference, Sandra Joyce, executive vice president and head of global intelligence at FireEye, said the technique had far-reaching consequences in the SolarWinds breach. "With the SolarWinds activity, we saw the SAML technique being used, which allowed them to mint their own tokens and have access to multiple applications within the same federated environment," she said.

The key to the attack, Sentonas said, is the way SAML tokens are handled by Microsoft Active Directory Federation Services (ADFS). A domain-joined model allows a single compromised administrator account to obtain ADFS keys and certificates that would also provide access to cloud services including Azure and Office 365.

While getting control over a server and moving laterally across the network to obtain an administrator's ADFS keys requires a degree of skill and extensive reconnaissance, Sentonas said all the tools needed for an attack are open source and widely available. In his RSA Conference demonstration, the CrowdStrike CTO used tools such as Mimikatz and Burp Suite to move from a service account on a supply chain server to the ADFS controller and extract a New Technology LAN Manager (NTLM) hash for an administrator.

That extracted information can then be used to access ADFS with the administrator account and obtain the private ticket ADFS uses to establish a trusted connection -- aka the Golden SAML certificate.

The key here is the role the Golden SAML plays in accessing not only the on-premises servers, but also the online services. Once decoded and cleaned up by the attacker, the certificate signs SAML objects across Azure and other Microsoft cloud services.

Once the coveted private certificate is lifted, the attacker would have the ability to forge SAML requests, giving them not only control as an administrator, but the ability to present themselves as any other user with any level of access.

This means the attacker would be able to set up multiple points of control and backdoors to the network, granting persistent access, even if the attack was spotted and the local network was secured. Should, for example, the original compromised server be secured, the attacker would use their control over the cloud server to reestablish their connection and get back into the local network.

"Not only can the adversary jump to the cloud from our on-premises [systems], they can compromise the on-premises [data] from the cloud," Sentonas said.

"When the adversary has this kind of circular control in the environment, we need to be careful in how we evict the adversary so that they are no longer in the environment -- they no longer have privilege and they haven't established themselves for a longer term," he added.

To fully resolve such threats and prevent recurring attacks, Sentonas advised administrators to change the way they look at security and responses to network breaches. Rather than simply clean up what appears to be the point of entry or the targeted server, companies need to make sure their entire network, both in the cloud and on premises, is scrubbed and locked down, particularly those that link the cloud and on-premises systems together.

Additionally, it is recommended that companies extend zero-trust protections to on-premises networks, secure the service accounts that can give attacker an entry point and consider how user privileges in cloud services could come back to allow for attacks on premises.

Dig Deeper on Network security