The APT groups the Mandiant researchers followed only targeted a handful of relevant users, not all of them. In most cases, there were between six to ten highly valuable people that were monitored. The largest number of targeted mailboxes the researchers saw in an organisation was 93.
Madeley says, putting things into context, that this technique can have a broad impact.
"If I develop an enterprise application that I share with you, or I create a blueprint of that application that other companies can use and might buy, and that application gets compromised, it also means that the threat actor can access your tenant," he says. "So, it's not just protecting your own data. You also have to worry about the source of the enterprise applications that you're getting, making sure that your vendors' security is on par."
Advanced nation-state actors who carry out cyber-espionage campaigns are not just interested in getting into an environment. They also want to do it stealthily and maintain access for as long as possible.
Here's where the technique called Golden SAML comes in. It was used by several APT groups, including UNC2452/DarkHalo, which was responsible for the supply chain attack that Trojanised the SolarWinds Orion software updated to distribute the SUNBURST malware. The attack, of which FireEye was one of the many victims, was disclosed in December 2020.
SAML stands for Security Assertion Markup Language and is an open standard used for exchanging authentication and authorisation between parties. It was designed to simplify the authentication process, enabling single sign-on (SSO), allowing access to multiple web applications with just one set of login credentials.
"Golden SAML is basically a way for the threat actor to be able to log into Microsoft 365 as any user that they want," Bienstock says. "They can bypass any additional security requirements that the organisation might have."
To explain how powerful this technique is, he used an analogy. "If you want to make a passport, you need something very specific that is locked down by the government in some office," he says.
"But once you get your passport machine, there's nothing stopping you from making a passport for anyone that you want. The Golden SAML is very similar to that. The threat actors are going after a particular system on the network; they're stealing a private key. Then once they have that private key, they can create authentication tokens for any user that they want."
In the Golden SAML technique, attackers steal the Active Directory Federation Services (AD FS) token-signing key. (AD FS is a feature for Windows Servers that enables federated identity and access management.) The technique is handy for an attacker when they are after specific users, and they want to access things that only those users may have, like specific files on their SharePoint or OneDrive.
Traditionally, to do the Golden SAML technique, hackers need to compromise the AD FS server in the environment where this private key is, which could be difficult because that server should be well protected, but Bienstock and Madeley says there's a way to steal it remotely.
Attackers still need to be on the company's private network, but with the right level of privilege, they don't necessarily need to compromise that specific server. Instead, they can carry out their attack from anywhere.
To keep the analogy, it's "like using magic to teleport the passport machine out of the office," Bienstock says.
"You can now do it without actually needing to step inside the passport office or needing to run code on the AD FS server," he added. "[This technique] is potentially valuable because it lowers the barrier for success by a bit, and it's a good deal more stealthy to carry out."
This type of attack, which allows an attacker to steal the key remotely, has not been seen in the wild yet, but the two researchers says it's a "natural extension" of the current technique, and organisations should prepare to defend against it.
Active Directory Federation Services replication
Large organisations that are geographically dispersed can have more than one AD FS server. They might have two, three or four in a farm configuration. By default, all the farm nodes use the same configurations and the same token signing certificate.
"Each server is going to have a private key -- the passport machine -- but they need a way of keeping that in sync," Bienstock says. "To do that, there's a replication service. That service operates over the network. Different servers can talk to each other."
The attackers could pretend to be the AD FS server that is performing replication, which is the primary AD FS server. "In some ways, [this technique is] very similar to a DCSync attack," Bienstock says.
"[In a DCSync attack], you are pretending to be a domain controller to get authentication information on the domain. In this technique, we are pretending to be another AD FS server to obtain sensitive information from the legitimate servers on the network."
Madeley says that he and his colleague have focused on AD FS because it's one of the more common SAML providers used by organisations targeted by APT threat actors.
Yet, they've seen other SAML providers being targeted, too. "It's important to note that the principle of the Golden SAML attack is not limited to AD FS," Madeley says. "If you compromise the signing certificates for any of the SAML providers, you're going to have the same issue."
Big data exfiltration
In the past, ATP groups that targeted Microsoft 365/Office 365 mostly searched for specific keywords and then downloaded files and emails that matched their request. Now, the researchers noticed that they tend to exfiltrate hundreds of gigabytes of data.
"Threat actors are, for the most part, just downloading everything in that person's mailbox," Bienstock says. "The speculation that I have personally is: This, maybe, speaks to a big data approach. Rather than performing the searches where the data lives, why not just download as much data as possible, and then they'll do the searches later, because maybe their collection requirements change, they need new keywords."
This approach would allow them to make the most of a collection of data. They won't need to compromise an organisation again if they have to get new information related to another keyword or another secret project.
An APT group the researchers followed was able to download an impressive amount of data. "Over the course of a month, there were over 350 gigabytes stolen, and the threat actor had access for at least 12 months," Madeley says. "It kind of implies that there is some level of big data analysis on the back end. There's not a single human scrolling through emails."
This big data approach wouldn't be surprising, the two researchers says. They've noticed that advanced threat actors are increasingly relying on automation, building tools that perform many tasks for them. "The fact that they went through the effort of making these automated collection tools suggests that there is automation throughout the lifecycle."
Mitigating Microsoft 365 threats
Bienstock and Madeley expect APT groups to continue to update their skills in the years to come. They also says that some of these popular techniques would likely start to be used by financially motivated gangs.
Madeley recommends admins learn and understand the nuances of third-party cloud integrations. They should know what auditing is available to them and what types of detection capabilities they have depending on the Microsoft 365 licence model, he says. The researcher recommends that they establish good change control processes in the cloud, so when a threat actor makes a change to the organisation's infrastructure, an admin can detect it.
"It really starts with understanding your environment, understanding what applications you have registered, knowing what mailbox permissions look like on a normal basis, and what your authentication providers look like, and how they're being used within your environment," Madeley says, "and then monitoring changes."
Both researchers says that constant education is a must-have, as things move so much faster in the cloud. Microsoft is putting effort into making its cloud infrastructure resilient, secure, and more auditable, Madeley says, but organisations should also do their part when it comes to security. "It's important that enterprises understand where their blind spots are," the researcher added.