Security researchers have discovered a new variant of the infamous Golden SAML attack technique, which the team has named “Silver SAML.”
With Silver SAML, threat actors can abuse the Security Assertion Markup Language authentication protocol to launch attacks from an identity provider such as Entra ID against applications that use SAML for authentication, such as Salesforce. Golden SAML was used in the 2020 Solarwinds cyberattack, the most sophisticated nation-state hack in history to date. The hacker group Nobelium, also known as Midnight Blizzard or Cozy Bear, injected malicious code into Solarwinds' Orion IT management software, infecting thousands of companies, including the US government. Following this attack, the Cybersecurity Infrastructure Security Agency (CISA) recommended that organizations with hybrid identity environments switch SAML authentication to a cloud identity system such as Entra ID.
Protection against Silver SAML
To effectively protect against silver attacks in Entra ID, organizations should only use self-signed Entra ID certificates for SAML signing. Organizations should also limit ownership of applications in Entra ID. You should also pay attention to changes to signing keys, especially if the key is not about to expire.
“After the Solarwinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (then Azure AD) would protect against forging SAML responses, also known as Golden SAML. “Unfortunately, complete protection against these types of attacks is more nuanced – when organizations move certain certificate management practices from Active Directory Federation Services to Entra ID, the applications are still vulnerable to response forgery, which we refer to as Silver SAML,” said Eric Woodruff, researcher at Semperis.
The Semperis researchers classify the Silver vulnerability as a moderate risk for companies. However, if Silver SAML is used to gain unauthorized access to business-critical applications and systems, the risk could increase to severe levels depending on the system being attacked.
More at Semperis.com
About Semperis
For security teams tasked with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain, reducing recovery time by 90 percent.
Matching articles on the topic