The U.S government is saying both a lot and not very much about the recently reported hacks, purportedly at the hands of a Russian government hacking group known as “Cozy Bear.”
On one hand, government agencies like the Department of Homeland Security and CISA, the Cybersecurity and Infrastructure Security Agency, have published voluminous guidelines for responding to the attack, along with lists of “indicators of compromise” (IOCs) and other telltale signs that can help agencies determine whether they have been victimized. On the other hand, the government has said little about the intended objective of the attackers, the extent or severity of the security breach—possibly because nobody knows how big an incident this is at this early stage.
[ If you want to learn more about how QOMPLX can help your company spot signs that may signal a Active Directory or authentication compromise, contact our team now. ]
However, what the U.S. government is saying in public hints at a “worst case scenario” for federal IT networks: a total compromise of agencies’ Active Directory Domain Controllers, and a total breakdown in government IT operational integrity. If true, something like Richard Clarke’s warning about a “Digital Pearl Harbor,” often considered hyperbolic, may have finally come to pass. It is impossible to understate how bad this could really be.
Between the Lines: A Golden Ticket?
QOMPLX noted yesterday that an Emergency Directive from the Department of Homeland Security described the wide ranging supply chain attack and made specific mention of “Kerberoasting” attacks on Kerberos, the underlying protocol used by Microsoft’s Active Directory. Guidance released on Thursday from CISA suggests that the attacks did not stop there, and that the breach of government networks may have involved a “Golden Ticket” attack, suggesting a complete compromise of the US government’s Windows domain controllers.
Specifically, CISA advises agencies that have discovered evidence of a compromise linked to the SolarWinds Orion product to “reset the Kerberos Ticket Granting Ticket password twice,” referencing Microsoft Corp. online documentation on the process. The reference to resetting the Ticket Granting Ticket (or TGT) twice—once to invalidate the compromised TGT, and a second time to erase the compromised key from memory—is a step that is unique to recovery procedures for Kerberos Golden Ticket attacks. If true, that’s bad news for the U.S. government and private sector organizations targeted in this attack. Very bad news.
Golden Tickets: An Apex Attack
As we explained in a blog post describing them, Golden Ticket Attacks give attackers unfettered access to networked resources within compromised environments, plus the ability to forge new Kerberos tickets for any services they wish to access. Golden Tickets allow adversaries to reside on networks indefinitely, all the while disguised as credentialed administrators passing valid authentication tokens.
Though powerful, they are less often seen in real-life incidents. That’s because the bar for creating a Golden Ticket is high, and because less esoteric attacks can be equally effective in achieving attackers’ objectives. To forge a Golden Ticket, attackers have typically already identified and obtained local administrator-level access to the Active Directory domain controller. Finally, the attackers need to successfully steal a hash of the Key Distribution Service account (KRBTGT). A tool such as Mimikatz or password-grabbing attacks such as Pass-the-Hash or DCSync may be used to obtain the KRBTGT password hash from the domain controller. With the password hash for the Key Distribution Service account, the Golden Ticket Attack can finally be launched.
The CISO advisory suggests that this is what happened, though there has been no confirmation of that in public information released about the incident.
A Novel Pivot to SAML
A Golden Ticket attack would be bad enough, if it happened. But wait, there’s more!
In the case of the SolarWinds attack, the adversaries appear to have modified the traditional attacker playbook. In addition to completely compromising Active Directory and achieving domain dominance, the attackers used domain administrator privileges to compromise the Security Assertion Markup Language (SAML) signing certificate used for federated login into cloud-based services. Put simply, an attacker bearing forged SAML assertions would be able to log into cloud services that rely on federal credentials. This is not a flaw in SAML itself, which is working as designed and allowing credentials to be trusted by downstream cloud services. But because the original root of trust (Active Directory) was compromised, “lateral movement” in this context takes on a whole new meaning: moving from the on-premise environment into the cloud, using forged credentials. As we’ve previously demonstrated, using Active Directory as the foundational infrastructure of trust exposes further federated systems to credential abuse. Active Directory compromises introduces additional exploit opportunities over common SSO providers as well Active Directory Federated Services.
CISA has released a Cybersecurity Advisory describing the SAML attack scenario. However, the agency has not released any information about which cloud services may have been targeted. But any of the FedRAMP-certified cloud services would be fair game. Current services listed in the FedRAMP directory include Adobe Creative Cloud, Amazon Web Services, Box, Crowdstrike, Docusign, FireEye, Google Apps and Google Cloud, Microsoft Azure and Office 365, MobileIron, Splunk, Zcaler and Zoom—to name just a few. All of these applications can be SAML-enabled to trust federal agency credentials. We expect that attackers attempting to use SAML credentials in these cloud services would be targeting administrative accounts, one application at a time.
Given the range of functionality that even this small FedRAMP subset provides, forged administrative credentials would allow attackers to control a wide variety of services, and access a large amount of sensitive data. Attackers could spin up rogue server workloads or shut down existing ones, read or delete cloud email and documents, eavesdrop on video calls, view web traffic, modify the behavior of mobile devices, and erase evidence of compromise from security logs. We should stress that we are not aware that any of these or other cloud providers have been compromised, or that these scenarios occurred. Nonetheless, these are all highly plausible given the nature of the attack.
We should point out that the attack scenarios we’ve just described apply not just to federal agencies. They apply equally to all organizations. Any of SolarWind’s 300,000 customers could have been attacked in the same manner, had their Windows domains compromised, and seen attackers attempt to use forged SAML credentials in downstream services. Indeed, SolarWinds estimates that 18,000 customers may have downloaded the malware-laced binaries that made these attacks possible—most famously, FireEye.
Without Trust, Operational Chaos
Both in government and outside of it, reconstructing what the attackers did (or did not do) in these external environments will be extremely challenging, and will need to be done on an agency-by-agency and company-by-company basis—for all SolarWinds customers. That’s in addition to Job One: evicting the attackers and restoring operational command and control. For organizations struggling to evict a Russian advanced persistent threat (APT), the implications are dire. Golden Ticket attacks are apex- level attacks on critical controls infrastructure. In totally compromised environments, highly-privileged attackers look just like normal administrators.
Guidance from CISA, published on Thursday, hints at the kind of chaos and disorientation Golden Ticket attacks can sow. IT staff are warned that, due to the compromise of “key personnel, incident response staff, and IT email accounts” discussion of findings and mitigations should be “considered very sensitive” and conducted “out of band” (that is: off the network). In fact, any activity conducted on the network should be carefully considered in light of the compromise.
Detecting Golden Ticket Attacks
CISA provides a number of detection techniques to spot malicious SAML tokens and other suspicious activity in compromised environments. But spotting Golden Tickets is another matter—especially if organizations want to detect them in time to prevent them from being used maliciously. Traditional security hygiene can also limit an organization’s exposure to such attacks: from software patching to the enforcement of user “least privilege” policies that can thwart lateral movement.
However, as we have written before, domain administrators have historically struggled to monitor for the tell-tale signs of stealthy Active Directory attacks. Fast, accurate, and deterministic detection of Active Directory hacks of the kind QOMPLX’s technology makes possible, is the best way to spot attacks on Active Directory early.
Validate the Kerberos Protocol
To actually defend against Golden Ticket Attacks, external validation of the Kerberos protocol is required to assure that every ticket presented by a Kerberos principal (i.e. service client) was in fact issued by a legitimate key distribution center.
Products like QOMPLX Q:CYBER provide real-time analytics and external stateful validation of Kerberos. Because QOMPLX validates the Kerberos protocol, instead of looking for specific malicious binaries or log-based “signatures,” our technology is completely agnostic to the methods used. It does not matter whether threat actors use attack tools such as Mimikatz or Cobalt Strike, lace SolarWinds with backdoor malware, or forge Kerberos tickets by hand—Q:CYBER will detect all violations of the protocol.
Stateful validation is the key to stopping attacks such as the Golden Ticket technique alluded to in the CISA advisory, and means that applications that rely on Kerberos, such as downstream SAML services, can be authenticated with confidence. QOMPLX makes it faster and easier for organizations to integrate disparate internal and external data sources across the enterprise via a unified analytics infrastructure that supports better decision-making at scale.
As companies work to assess their own exposure to this wide ranging threat, QOMPLX stands ready to assist them in assessing whether their Active Directory environment may have been compromised and, if necessary, to establish “ground truth” in their environment and begin recovering from the incident.
If you want to learn more about how QOMPLX and QOMPLX Government Solutions can help your company identify and thwart attacks on Active Directory including Golden Ticket Attacks and Kerberoasting, contact our team now to set up a discussion with QOMPLX security practitioners.