Member Article

Semperis Researchers Discover a New Malicious Variant of the Attack Technique used in the 2020 SolarWinds Breach

Semperis, a pioneer in identity-driven cyber resilience, today announced that its security research team discovered a new variant of the notorious Golden SAML attack technique and dubbed it Silver SAML. Using Silver SAML, threat actors could exploit SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce.

Golden SAML was used in the 2020 cyberattack against SolarsWinds, the most sophisticated nation-state hack in history. Threat group Nobelium, aka Midnight Blizzard, aka Cozy Bear, deployed malicious code into SolarWinds’ Orion IT management software, infecting thousands of organizations, including the U.S. Government. In the wake of the attack, the Cybersecurity Infrastructure Security Agency (CISA) encouraged organisations with hybrid identity environments to move SAML authentication to a cloud identity system such as Entra ID. 

Safeguarding Against Silver SAML Attacks

To safeguard effectively against Silver SAML attacks in Entra ID, organisations should use only Entra ID self-signed certificates for SAML signing purposes. Organisations should also limit who has ownership over applications in Entra ID. And monitor for changes to SAML signing keys, especially if the key is not near its expiration.

“In the aftermath of the SolarWinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (Azure AD at the time) would protect you from SAML response forging, aka Golden SAML. Unfortunately, full protection from these types of attacks is more nuanced - if organisations carry certain "bad habit" certificate management practices from Active Directory Federation Services to Entra ID, the applications in their estate are still susceptible to SAML response forging, which we dubbed Silver SAML,” said Eric Woodruff, Semperis researcher. 

Semperis researchers rate the Silver SAML vulnerability as a MODERATE risk to organisations. However, depending on the compromised system, should Silver SAML be used to gain unauthorised access to business-critical applications and systems, the risk level could rise to a SEVERE level.

This was posted in Bdaily's Members' News section by Semperis .