Cybersecurity researchers at Semperis have discovered a new potential threat called Silver SAML, an attack method which exploits Security Assertion Markup Language (SAML) to launch attacks from cloud identity providers such as Entra ID. This newly discovered technique could potentially target applications configured to utilise Entra ID for authentication, including widely utilised platforms like Salesforce or ServiceNow.
Interestingly, Silver SAML bears resemblance to Golden SAML, a technique used in the notorious SolarWinds attack of 2020, one of the most significant security breaches in recent history. Following the SolarWinds hack, organisations were urged by cybersecurity experts, including the Cybersecurity and Infrastructure Security Agency (CISA), to migrate their SAML authentication to cloud identity systems such as Entra ID. Regrettably, even those who adhered to these security recommendations are not safe from Silver SAML.
The hacking group Nobelium, also known as Midnight Blizzard, notoriously responsible for the SolarWinds breach, remains active. Recent attacks have targeted trusted technology providers Hewlett Packard Enterprise and Microsoft, with more victims likely to emerge. The recent guidance from the National Cyber Security Centre notably follows Russian hackers’ shift towards cloud-based attacks.
While Silver SAML currently poses a moderate risk to organisations according to Semperis researchers, the risk could escalate to severe, contingent upon the system which has been compromised. If Silver SAML were used to secure unauthorised access to business essential applications and systems, the impact could be significantly large and potentially devastating. Currently, no recorded instances of Silver SAML being used for an attack have been reported.
In the wake of these developments, Semperis researchers have advised on several approaches to safeguard against Silver SAML attacks in Entra ID. Organisations are advised to use only Entra ID self-signed certificates for SAML signing purposes and keep application ownership to a minimum. It is also necessary to vigilantly monitor for changes to SAML signing keys, especially if the key is near its expiration.
Eric Woodruff, a researcher at Semperis, commented: “In the aftermath of the SolarWinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (Azure AD at the time) would protect you from SAML response forging, aka Golden SAML. Unfortunately, full protection from these types of attacks is more nuanced – if organisations carry certain “bad habit” certificate management practices from Active Directory Federation Services to Entra ID, the applications in their estate are still susceptible to SAML response forging, which we dubbed Silver SAML.” The invaluable work of Semperis greatly contributes to our collective knowledge on cyber threats and helps the tech community worldwide strengthen their defences.