Semperis finds new attack variant

​

Research from Semperis (www.semperis.com) reveals that a new malicious variant of the attack technique used in the 2020 SolarWinds Breach can be exploited even if organizations have followed the security recommendations meant to defend against Golden SAML.

The newly discovered Silver SAML vulnerability allows threat actors to exploit SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce.
 
Golden SAML was used in the 2020 cyberattack against SolarsWinds, the most sophisticated nation-state hack in history.  Threat group Nobelium, aka Midnight Blizzard, aka Cozy Bear, deployed malicious code into SolarWinds’ Orion IT management software, infecting thousands of organizations, including the U.S. Government.  In the wake of the attack, the Cybersecurity Infrastructure Security Agency (CISA) encouraged organisations with hybrid identity environments to move SAML authentication to a cloud identity system such as Entra ID.
 
“In the aftermath of the SolarWinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (Azure AD at the time) would protect you from SAML response forging, aka Golden SAML,” says said Eric Woodruff, Semperis researcher.  “Unfortunately, full protection from these types of attacks is more nuanced – if organizations carry certain ‘bad habit’ certificate management practices from Active Directory Federation Services to Entra ID, the applications in their estate are still susceptible to SAML response forging, which we dubbed Silver SAML.”

To safeguard effectively against Silver SAML attacks in Entra ID, organizations should use only Entra ID self-signed certificates for SAML signing purposes.  Organizations should also limit who has ownership over applications in Entra ID, and monitor for changes to SAML signing keys, especially if the key is not near its expiration.

Semperis researchers rate the Silver SAML vulnerability as a ‘moderate’ risk to organizations.  However, depending on the compromised system, should Silver SAML be used to gain unauthorized access to business-critical applications and systems, the risk level could rise to a ‘severe’ level.
 
More on the Silver SAML vulnerability can be found at https://www.semperis.com/blog/meet-silver-saml