Semperis Researchers Discover a New Malicious Variant of the Attack Technique Used in the 2020 SolarWinds Breach

Newly discovered Silver SAML vulnerability can be exploited even if organisations have followed the security recommendations meant to defend against Golden SAML

Semperis, a pioneer in identity-driven cyber resilience, today announced that its security research team discovered a new variant of the notorious Golden SAML attack technique and dubbed it Silver SAML. Using Silver SAML, threat actors could exploit SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce.

Golden SAML was used in the 2020 cyberattack against SolarsWinds, the most sophisticated nation-state hack in history. Threat group Nobelium, aka Midnight Blizzard, aka Cozy Bear, deployed malicious code into SolarWinds’ Orion IT management software, infecting less than 100 organisations, including the U.S. Government. In the wake of the attack, the Cybersecurity Infrastructure Security Agency (CISA) encouraged organisations with hybrid identity environments to move SAML authentication to a cloud identity system such as Entra ID.

Safeguarding Against Silver SAML Attacks

To safeguard effectively against Silver SAML attacks in Entra ID, organisations should use only Entra ID self-signed certificates for SAML signing purposes. Organisations should also limit who has ownership over applications in Entra ID. And monitor for changes to SAML signing keys, especially if the key is not near its expiration.

“In the aftermath of the SolarWinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (Azure AD at the time) would protect you from SAML response forging, aka Golden SAML. Unfortunately, full protection from these types of attacks is more nuanced – if organisations carry certain “bad habit” certificate management practices from Active Directory Federation Services to Entra ID, the applications in their estate are still susceptible to SAML response forging, which we dubbed Silver SAML,” said Eric Woodruff, Semperis researcher.

Semperis researchers rate the Silver SAML vulnerability as a MODERATE risk to organisations. However, depending on the compromised system, should Silver SAML be used to gain unauthorised access to business-critical applications and systems, the risk level could rise to a SEVERE level.

To learn more about the Silver SAML vulnerability, visit: https://www.semperis.com/blog/meet-silver-saml/

About Semperis  

Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments from cyberattacks, data breaches, and operational errors. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta, Semperis’ patented technology protects 100+ million identities across government agencies and the world’s leading enterprises.    

As part of its mission is to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast and free identity security tools Purple Knight and Forest Druid. Semperis is a privately-owned, international company headquartered in Hoboken, New Jersey, with customers in more than 40 countries.  

Learn more: https://www.semperis.com  

Follow us: Blog / LinkedIn / X / Facebook / YouTube