In the wake of the SolarWinds attack, where threat actors compromised the company’s Orion network management product to infiltrate enterprise networks, a new technique called “Golden SAML” emerged as a means to maintain persistent access to various applications and services within the targeted environment. This technique involved stealing the victim organization’s Active Directory Federation Services (ADFS) token-signing certificate and using it to forge SAML response tokens, granting the threat actor unauthorized access to federated services with elevated privileges.
Recently, researchers at Semperis disclosed a variant of this technique, named “Silver SAML.” Unlike its predecessor, Silver SAML does not require access to ADFS and is compatible with Microsoft Entra ID and other identity provider environments that allow externally generated SAML signing certificates. Eric Woodruff, a researcher at Semperis, explained that while Golden SAML was primarily used to access Entra ID and other applications, Silver SAML is limited to infiltrating individual applications without breaching Entra ID itself.
Many organizations utilize SAML token-based architecture for single sign-on (SSO) across various cloud services like Azure, AWS, and Google Cloud. In a Golden SAML attack, the adversary steals the ADFS token-signing certificate to forge SAML tokens, granting unrestricted access to federated services with customized privileges. On the other hand, Silver SAML leverages externally generated signing certificates to mimic Entra ID responses, posing a significant threat to organizations that employ insecure certificate management practices.
Woodruff emphasized that the use of externally generated certificates, while perceived as secure, can expose organizations to Silver SAML attacks if not managed properly. Attackers can exploit loopholes in certificate storage and transmission methods to steal and utilize them for unauthorized access. The transition from ADFS to Entra ID has also contributed to vulnerabilities, as organizations may prioritize convenience over secure certificate management during migrations.
To illustrate the potential impact of a Silver SAML attack, Semperis developed the “SilverSAMLForger” proof-of-concept tool, demonstrating how attackers could spoof Entra ID responses using externally generated certificates. While the severity of the threat varies based on an organization’s certificate management practices and application dependencies, Woodruff classified Silver SAML as a moderate threat for organizations that use externally generated certificates without adequate security measures.
In conclusion, the emergence of Silver SAML as a derivative of the Golden SAML technique underscores the importance of robust certificate management practices in safeguarding against sophisticated attacks. Organizations must prioritize the secure generation, transmission, and storage of signing certificates to mitigate the risks associated with unauthorized access and data breaches.