Researchers in the field of cybersecurity have discovered a new attack method called Silver SAML. This method can succeed even when protections are set up to prevent Golden SAML assaults.
Researchers from Semperis, Tomer Nahum and Eric Woodruff, told The Hacker News that Silver SAML enables an identity supplier, like Entra ID, to conduct attacks against apps, like Salesforce, that utilize it for authentication.
Security Assertion Markup Language, or Golden SAML, was first documented in 2017 by CyberArk. By abusing the authentication standard, an attacker can assume the identity of any employee or contractor in a company.
Golden SAML is an exploit that, like the Golden Ticket, allows hackers to covertly access federated services and use them with varying degrees of privilege.
“Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” Shaked Reiner, a security researcher.
Although this approach has not been used in many real-world assaults, it was initially used to get administrator access to SolarWinds infrastructure by compromising SAML token signing certificates and forging SAML tokens.
In addition, Microsoft said that Peach Sandstorm, an Iranian threat actor, exploited Golden SAML during an attack in March 2023 to get password-free access to cloud resources.
Silver SAML, the most recent iteration of this method, is a tweaked variant of Golden SAML that may be used with an identity provider such as Microsoft Entra ID without need access to AD FS. Organizations are considered to be moderately threatened by it.
The researchers found that if an attacker gets their hands on the private key of a certificate that was created outside, they may impersonate any user and fabricate SAML answers. We have notified Microsoft about this issue, but they do not consider it urgent.
Use only Entra ID self-signed certificates for SAML signing purposes; there have been no documented abuses of Silver SAML. Additionally, a proof-of-concept (PoC) for developing one’s own SAML answers is available from Semperis; it’s named SilverSAMLForger.
To keep confusion to a minimum during certificate rotation events, organizations should develop change control procedures and keep an eye on the Entra ID audit logs for any changes to the PreferredTokenSigningKeyThumbprint under ApplicationManagement.
