During the Feb 23rd senate hearing on SolarWinds Orion software hack, George Kurtz, president, and CEO of CrowdStrike pointed towards an ‘architectural limitation’ in Active Directory federation Service that was taken advantage of during the attack.
“Significantly, one of the most sophisticated aspects of the StellarParticle campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Service credentialing and authentication process. The Golden SAML attack leveraged by StellarParticle actors allowed them to jump from customers’ on-premise environments and into their cloud and cloud-applications, effectively bypassing multi-factor authentication,” said Kurtz. He also went on to say that the presence of this flaw means that more breaches will come as it enables attackers to masquerade as anyone in the network.
The Senate hearing took place in the presence of executives that included Kevin Mandia, FireEye’s CEO; Sudhakar Ramakrishna, SolarWinds’ CEO; Brad Smith, Microsoft’s president; and George Kurtz, CrowdStrike’s president, and CEO. Notably, there was no representative present from Amazon Web services even though the company was invited.