Published on February 22, 2021
Oleg Kolesnikov, VP of Threat Research at Securonix, has made a key contribution to the MITRE Cloud ATT&CK Matrix for Azure AD. Linked to the SolarWinds breach and used by the group responsible, T1606.002 describes a method for forging valid credentials using SAML tokens signed by a trusted authority. A central part of the attack on SolarWinds customers, this technique facilitated privilege escalation as well as lateral movement of the attackers across applications – while also opening access for additional attackers into enterprise applications that use SAML authentication.
This blog describes how the attack is relevant, the real threat involved, and mitigation and detection steps and possibilities.
John Doe finally managed to login to the expense portal, after multiple password change requests and account unlocks. He could not understand why his account had been locked over the weekend. All he knew was that his team had just returned from a trip and there were many expenses submitted for his approval. He also had reimbursements to claim. The portal had not allowed him to login for over an hour, until a support rep had reluctantly unlocked his ID for him while letting him know that there were multiple red flags on his account.
The main page loaded…and John Doe found out why his account had been locked. His expense account showed approved expenses of over a million dollars, transferred to individual employee accounts. It also showed that those accounts had recently had their linked bank details changed. His account, too, had approved expenses of over $2,000,000 – all routed to a bank account he did not recognize!
Account number changes in the HR software, expense approvals in the expensing software, and approval emails from the internal email server – everything had been changed and done within a day, and without a trace of illegitimate activity.
John Doe rushed over to IT Support. They would surely be able to fix it – right?
SAML and Enterprise Applications
As the cloud has taken over computing models, enterprises have seen an explosion in the options they have when it comes to enabling business functions. A massive number of specialized software as a service (SaaS) applications are now available. But enterprise users cannot remember different usernames and passwords for these applications.
Single sign-on (SSO) protocols such as SAML and OAuth have emerged to solve this problem. SAML enables secure SSO for both cloud SaaS and on-premises applications. A multitude of identity providers, such as Microsoft Azure Active Directory, Active Directory Federation Services (ADFS), Okta, and PingIdentity, provide secure SAML-based authentication support, and most enterprise applications now support SAML as an alternate means of authentication, along with their primary authentication system.
Core to the SAML authentication system is the concept of trusted authorities - certificate based systems that can authenticate users and, when successful, provide them with a signed token that is used as a multi-use pass with a limited validity period (much like a football season ticket) to access various enterprise applications. These trusted authorities usually use secure certificates to sign tokens, and identifying passphrases and keys need to be configured for both the identity provider as well as for the service provider (the application). SAML trust is therefore built as a secure, two-way system.
The Attack: T1606.002 (Forge Web Credentials – SAML Tokens)
Contributed by Oleg Kolesnikov, VP of Threat Research at Securonix along with Blake Strom from Microsoft, T1606.002 describes a technique that was central to attackers gaining near unlimited access to enterprise applications running on networks affected by the SolarWinds breach. The attack follows a two-step process:
- Attackers use obtained administrative privileges (such as during the SolarWinds Orion breach) to gain access to the internal SAML token signing certificate. This access allows the attacker to create tokens that impersonate ANY account in the enterprise.
- Once this access is gained, malicious access can be gained to any on-premises or cloud resource that uses the SAML authority as a trusted identity provider.
The attacker can then, using global administrator privileges, add additional credentials for existing applications - enabling API calls as well as (if not audited post detection) dormant credentials that can be utilized at a later time for continued attack.
These breaches are typically undetectable using standard security tools, as the access is gained using apparently legitimate tokens, sourced from legitimate accounts, and signed by the original token signing certificate.
This is a critically damaging technique that can allow an attacker access to any enterprise resource using SAML for authentication (as we described in the introduction). Detection and mitigation of this threat is not easy. It is difficult to detect because it uses verified, valid credentials in what seems like a legitimate access attempt.
Detecting and Mitigating the Threat
The MITRE ATT&CK page for the technique lists several mitigation strategies, including rotating signing certificates and structured audits. Detection is acknowledged to be difficult, but possible post compromise, or by monitoring for specific event codes.
Securonix’s UEBA-driven SIEM platform was built to detect these types of threats through advanced behavior analytics. These algorithms account for multiple indicators of malicious activity - general privilege usage as compared to the peer group, time of day and geographic location for logins, account behavior post login, and several other factors - to detect when an account is compromised or malicious, even if the access is legitimate as per security requirements.
Securonix uses a threat chain methodology to connect related malicious activity indicators together, identifying and separating real threats from relatively innocuous events.
Using Securonix Next-Gen SIEM with best-of-breed UEBA, SOC analysts are able to detect anomalous behavior like that in the example above and block the fraudulent transactions. With the right detection in place, even the effects of a wide-ranging attack such as the SolarWinds breach can be minimized.