MagicWeb is a newly discovered vulnerability by Microsoft, a malicious vector that enables cybercriminals to manipulate the claims passed in tokens generated by an Active Directory Federated Services (AD FS) to steal credentials to infiltrate the business network.
Microsoft warned enterprises about SolarWind supply chain attacks back in 2020. According to a study published by IronNet titled “2021 Cybersecurity Impact Report,” SolarWind supply chain attackers got access to nearly 18,000 government agencies and fortune 500 companies in 2020. The study also highlights that the impact of this sophisticated cyber-attack; costs organizations approximately 11% of their annual revenue.
SolarWind supply chain attackers have developed a cyber-attack vector that bypasses authentication to gain access to business networks and move laterally.
Unlike the previous attacks by this Russian-backed Nobelium APT, they are not using supply chain attacks as vectors to deploy MagicWeb. Instead, they are exploiting the admin credentials access of the Active Directory Federated Services (AD FS) server to infiltrate the network.
Cyber attackers utilize this privileged access to exchange a legitimate Dynamic-link library (DLL) with a malicious MagicWeb DLL so that the ADFS server loads the malware considering it was legit. This vulnerability enables the threat actors to keep a firm position in the business network even when the defenders try to mitigate them.
“Active Directory Federation Services (ADFS) is a Tier 0 asset, and thus a high-priority target for threat actors,” says Sean Deuby, Director of Services, Semperis.
Similar to the domain controllers, Active Directory Federated Services is capable of user authentication. Threat actors leverage MagicWeb vulnerabilities to manipulate the claims passed in the authentication tokens created in an AD FS server. This approach enables the attackers to authenticate as any user on the network to infiltrate the business network and move laterally. Microsoft is suggesting clients isolate the AD FS infrastructure to ensure the server is accessed by dedicated admin accounts or move to Azure Active Directory.
Here are a few strategies that CISOs can consider to harden the AD FS servers and secure IT infrastructure against MagicWeb Vulnerabilities:
Treat and secure Active Directory Federated Services as a tier 0 asset
CISOs should consider AD FS as a Tier 0 asset like other identity systems in the IT infrastructure because it authenticates the users. Enterprise can leverage the Security Configuration Wizard (SCW) to implement AD FS-related top security practices to the federation servers and their proxy computers. SCW tools are inbuilt in all Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 computers. SecOps teams need to implement the best security postures that minimize the attack surface areas for the servers, depending on the set server roles. When the DevOps team is installing AD FS, the framework generates role extension files that CISOs can utilize with SCW tools to implement a robust security posture to that particular AD FS server during the installation.
Leverage token replay detection
SecOps can use token replay detection at the touch points where security plays a crucial role. Utilizing the token replay detection feature of the AD FS servers will ensure that all requests to replay a token in the Federation Service (FS) are identified and discarded. It is an effective way for both the WS-Federation passive profile and the Security Assertion Markup Language (SAML) WebSSO profile to assure that the tokens are only used once. Once the federation service starts, it starts generating a cache of all the token requests executed by them. With time the token requests are added to the cache the capability of the federal service to detect all the requests to replay a token will be improved. Enterprises that disable token replay detection and later decide to enable it should consider that FS will accept tokens for a certain time period they might have been used previously because the cache requires a certain amount of time to rebuild its content.
Detect and mitigate domain dominance or Kerberoasting to Ensure a properly secured active directory forest
Cybercriminals leverage the Kerberoasting attack approach to extract credentials of a service account with the Active Directory (AD). Malicious actors masquerade as legit account users that have a Service Principal Name (SPN) and raise a request that has encrypted passwords.
“In a properly configured AD forest, gaining administrative control over ADFS requires either domain dominance or successful Kerberoasting of the ADFS service account. This service account is far more vulnerable to Kerberoasting (which cracks the service account password) if a regular service account is used instead of the recommended group-managed service account (which uses hard-to-crack passwords: complex, randomly generated 240-character passwords, automatically updated every 30 days),” Adds Sean.
CISOs should consider setting long and complex passwords that are nearly impossible to crack by brute force alone. Generating random passwords with multiple special characters will help the SecOps team to minimize dictionary attacks. It is crucial to set stringent password management policies to ensure secure access to the Active Directory Federated Services.
Enterprises with Security Assertion Markup Language (SAML) artifact resolution need to encrypt the tokens to improve security posture against man-in-the-middle (MITM) attacks that cyber criminals might have used as a vector against organizations’ AD FS deployment. SecOps teams can initially add an encryption certificate for all relying party trusts. They can configure encryption certificates while developing a relying party trust or later. Adding encryption certificate to a current relying party trust; SecOps can utilize an encryption tab within the trust properties while leveraging AD FS snap-in.
Ensure privacy of sensitive information
Active Directory Federated Services inherently does not expose or monitor personally identifiable information (PII). If the organization enables event logging and debug trace logging, based on the configured claims policy, some claims and their values might have PII stored in the AD FS event or tracing logs. Hence, it is crucial to enforce stringent access control on the Active Directory Federated Services and its log files. Enterprises that do not want to expose sensitive data need to disable login or filter any PII or sensitive data stored in the logs before they are shared with other users or systems. CISOs should consider securing all the AD FS event logs and trace logs with access control lists (ACLs). It is one of the most effective ways to restrict access to authorized and trusted administrators.
MagicWeb vulnerabilities are a newly discovered threat that cybercriminals leverage as vectors to bypass authentication to gain access to business networks and move laterally. CISOs need to harden their Active Directory Federated Services security to minimize the risk or threats imposed by malicious actors.