FireEye CEO Kevin Mandia testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. FireEye owns Mandiant, founded by Mandia, which released research Tuesday about the need to lock down Active Directory Federation Services. (Photo by Drew Angerer/Getty Images)

Mandiant Tuesday posted a blog detailing a new attack strategy against Microsoft’s Active Directory Federation Services (AD FS). Researchers with the company believe the need to protect AD FS might be the unheralded second lesson from the SolarWinds campaign.

The main lesson organizations drew from the SolarWinds campaign was the need to protect against third-party risk and address supply chain security. Hackers that the United States linked to Russian Intelligence used a gimmicked update to the SolarWinds IT management software and other vectors to take over a variety of government agencies and private organizations.

But the same campaign relied on takeovers of AD FS servers to overtake Microsoft 365 accounts for espionage purposes.

AD FS servers provide an authentication service to allow unified log-ins for cloud and on-computer services – a Microsoft answer to products like Okta. But unlike Okta, AD FS servers are managed by individual organizations. Hijacking AD FS is a matter of beating a security operations center, rather than a monolithic security firm. 

“The SolarWinds supply chain compromise and ensuing activity has shown us that threat actors now are well aware of AD FS, and they’re investing a lot of time and research in targeting it,” said Doug Bienstock, who wrote the blog outlining the new attack. “And so we want to make sure that you know defenders are just as well versed as they are and are aware of this technique.”

During SolarWinds, hackers directly targeted the AD FS servers to obtain certifications. Mandiant’s new attack does not require direct access to the AD FS server. Rather, hackers would spoof one AD FS server communicating with another to obtain its keys. This is not trivial, said Bienstock – it still requires credentials from an extremely privileged account to pull off. But given the capacity of the hackers involved in SolarWinds, he said, chief information security officers should begin to see these kinds of attacks as part of the threat landscape. 

“We now need to take a couple more additional steps to keep those servers safe, because at the end of the day they are just as important as our domain controllers,” he said. They are the linchpin, the bedrock of security for not just your corporate network but all of the other cloud services that you may have configured to trust it, the biggest example being Microsoft 365.”