February 29, 2024 at 11:27AM
Cybersecurity researchers have unveiled a new attack technique called Silver SAML, a variant of the Golden SAML attack that exploits SAML for unauthorized access to applications like Salesforce. While real-world attacks are rare, the method poses a moderate-severity threat, impacting organizations using identity providers like Microsoft Entra ID. Responsible disclosure has been made to Microsoft, and guidance has been shared to safeguard against potential exploits.
Based on the meeting notes provided, it seems the main topic was the emergence and impact of a new cyber attack technique called Silver SAML. This new attack method can bypass mitigations applied against Golden SAML attacks, allowing attackers to exploit Security Assertion Markup Language (SAML) and gain unauthorized access to applications like Salesforce. The attack is similar to the Golden Ticket attack and has recently been used in real-world incidents to compromise cloud resources and gain administrative access.
The attack leverages vulnerabilities in identity providers like Microsoft Entra ID and poses a moderate-severity threat to organizations by enabling attackers to forge SAML responses and gain unauthorized access to applications. The researchers have developed a proof-of-concept (PoC) dubbed SilverSAMLForger to demonstrate the creation of custom SAML responses, and they recommend organizations to monitor Entra ID audit logs for changes related to SAML signing.
While there are currently no known exploits of Silver SAML in the wild, organizations are advised to use only self-signed certificates from Entra ID for SAML signing purposes and to implement change control processes to document the rotation of expired certificates. Additionally, responsible disclosure was made to Microsoft regarding the issue, and appropriate actions are expected to safeguard customers.
If you have any specific questions or would like further details on any aspect of the meeting notes, please feel free to ask.