February 29, 2024 at 06:08AM
The SolarWinds attack involved the use of “Golden SAML” technique to forge SAML response tokens and gain access to enterprise networks. Researchers at Semperis have now identified a new version called “Silver SAML,” which does not require access to ADFS and can work with Microsoft Entra ID and other identity providers using externally generated SAML signing certificates. This poses a moderate threat to organizations.
Based on the meeting notes, it appears that the threat actor behind the SolarWinds attack used a technique called “Golden SAML” to maintain persistent access to different applications and services within victim organizations. Recently, researchers have identified a new version of this technique called “Silver SAML,” which also involves SAML response forgery but does not require access to Active Directory Federation Services (ADFS). Instead, it works with externally generated signing certificates in environments like Microsoft Azure AD.
The Silver SAML attack can be executed when an attacker steals an externally generated signing certificate and uses it to forge a SAML response, granting unauthorized access to federated services and applications. This can pose a significant threat to organizations that use externally generated certificates and do not manage them securely, potentially allowing attackers to access and use them to sign forged SAML responses.
To demonstrate the potential impact of Silver SAML, the researchers at Semperis developed a proof-of-concept tool named “SilverSAMLForger,” which generates a spoofed SAML response signed with an externally generated certificate. The severity of the threat posed by Silver SAML varies depending on an organization’s use of externally generated certificates and the security measures in place to protect them.
In summary, the discovery of the Silver SAML technique underscores the importance for organizations to carefully manage their externally generated signing certificates, particularly when used in SAML token-based architectures for single sign-on across multiple cloud services.
If you have any specific questions or require further details from these meeting notes, please feel free to ask.