Microsoft recommends potentially affected customers use a hardware security module (HSM) to prevent another piece of malware from stealing secrets from AD FS servers.
End of September 2021 Microsoft published news about FoggyWeb, another sophisticated persistent backdoor hack which is designed to steal credentials and compromise the contents of Microsoft AD FS servers. The hack is believed to be associated with Nobelium, a group of suspected state-sponsored hackers believed responsible for the devastating SolarWinds hack.
Microsoft’s Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. It enables single sign-on – within a security or enterprise boundary – to web applications that enable organizations to offer a seamless user experience when accessing their applications online. It means it helps support web service interoperability between a range of cloud-based products, including Microsoft 365.
Microsoft has already notified all customers that they have observed being targeted by the malware. They have published a detailed analysis of the hack and mitigating actions organizations can deploy.
Microsoft makes three recommendations:
- Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access.
- Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
- Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.
Recommendation 3, made by Microsoft, is a reminder of the value a high assurance root of trust as a hardware security module (HSM) can bring to an AD FS and other IT deployments. The HSM is a robust, certified, tamper resistant device which is used to perform cryptographic operations such as generating and signing cryptographic keys in a protected environment resilient to attack from malware and other exploits. Microsoft recommends that the token signing certificates - which give access to federated resources - are protected in an HSM. These security tokens underpin the security of the AD FS system since they provide the mechanism by which partners can verify the authenticity and authorisation of a request.
Hardware Security Module (HSM)
In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. They are never present in the DMZ or on the proxy machines. Optionally to provide additional protection, Microsoft recommends protecting these keys in a hardware security module (HSM) attached to AD FS. Microsoft does not produce an HSM product, however there are several on the market that support AD FS. In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates.
Generating and storing cryptographic keys in dedicated hardware devices has been best practice for more than two decades now - your organization should follow it, too.
Source: Microsoft/CREAplus cybersecurity team