Using the Golden SAML attack for post-breach exploitation, the attackers in the SolarWinds cyberattack—one of the biggest of the century—affected thousands of organizations worldwide, including the US government, by inserting malicious code into Orion IT management and monitoring software.

Following the significant cyberattack, CISA advised hybrid environment companies to switch to a cloud identification solution like Entra ID.

Nevertheless is a novel method known as “Silver SAML” that can get beyond security advice and use the Entra ID through applications.

Despite being assessed as a MODERATE risk to enterprises, this Silver SAML authentication vulnerability can be used to gain unauthorized access to business-critical applications, which is a SEVERE risk depending on the compromised system.

Silver SAML Attack

Many companies that use SAML for application authentication use Entra ID, according to reports shared with Cyber Security News. For SAML response signing, this Entra ID. However, use a self-signed certificate. Organizations may also sign the SAML with externally issued certificates.

Forging SAML authentication answers by removing signing certificates from Active Directory Federation Services is a well-known technique known as “golden SAML authentication.” The ADFS in Microsoft Entra ID is not utilized by the Silver SAML attack.

Let's say an attacker obtains the private key to an externally produced certificate. The attacker would then be able to use the same private key that Entra ID has to sign any SAML response they want. The attacker can access the application as any user if this attack is successful.

Problems with SAML & Signing Certificates

Most enterprises mishandle signing certificates, which is the primary problem with SAML and signing certificates. Additionally, because they employ externally signed certificates, the security of SAML is compromised. Furthermore, passwords and certificate PFX files are sent over insecure channels like Teams or Slack using these externally signed certificates.

It is possible to compromise a secure location where self-signed certificates are kept and retrieve the keys, even for businesses that use Azure Key Vault. In addition, companies handle their SAML signing certificates externally rather than through the Entra ID.

Performing a Silver SAML Attack

A threat actor can use an intercepting proxy like Burp Suite to intercept the SAML request and replace the contents of the SAML response with a forged SAML answer to conduct an attack in a flow that the service provider initiates.

Researchers used the test flow to provide an example of this attack. An intercept was found in the SAML response for the user oktaAdministrator@xd6z7.onmicrosoft.com.

Some of the SAML claim data, like UPN (User Principal Name), last name, first name, displayName, and objectID, must be gathered to be exploited. This can be accomplished via the Microsoft Graph API via the Entra admin area.

By using the “SilverSAMLForger” program developed by the researchers, an output string encoded with base64 and URL is produced with the necessary parameters. The application can then log in as the intended user using this faked SAML response to substitute the SAML answer in the intercepted response.

With Perimeter81 malware protection, you can stop malware such as Trojan horses, ransomware, spyware, rootkits, worms, and zero-day exploits. They're all extremely dangerous and capable of causing chaos and destruction to your network.