Last week, Microsoft published news about FoggyWeb, another sophisticated persistent backdoor hack which is designed to steal credentials and compromise the contents of Microsoft AD FS servers. The hack is believed to be associated with Nobelium, a group of suspected state-sponsored hackers believed responsible for the devastating SolarWinds hack.

Microsoft’s Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. It enables single sign-on – within a security or enterprise boundary – to web applications that enable organizations to offer a seamless user experience when accessing their applications online. In short, it helps support web service interoperability between a range of cloud-based products including Gmail and Office 365.

Microsoft has already notified all customers that they have observed being targeted by the malware. In addition, they have published a detailed analysis of the hack and mitigating actions organizations can deploy. They also make a number of recommendations:

  1. Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
  2. Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
  3. Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

Recommendation 3, made by Microsoft, is a reminder of the value a high assurance root of trust Hardware Security Module (HSM) can bring to an AD FS and many other IT deployments. The HSM is a robust certified, tamper resistant device which is used to perform cryptographic operations such as generating and signing cryptographic keys in a protected environment resilient to attack from malware and other exploits. Microsoft recommends that the token signing certificates which give access to federated resources are protected in an HSM. These security tokens underpin the security of the AD FS system since they provide the mechanism by which partners can verify the authenticity and authorisation of a request.  Generating and storing cryptographic keys in dedicated hardware devices has been best practice for more than 20 years now. Surprisingly there are organizations who still unwittingly store their cryptographic keys in servers leaving them exposed to theft from bad actors.

Entrusts offer a range of nShield HSMs in varying form factor, performance and certification status to suit an organization’s needs – as well as a full portfolio of cybersecurity infrastructure solutions, including security posture management and securing user identities and access. To learn more visit: https://www.entrust.com/digital-security/hsm/products/nshield-hsms.