New variant of the Solarwinds attack technique discovered in 2020

Sicherheit (Pexels, allgemeine Nutzung) [German]The hack of numerous (US) authorities and companies via Solarwinds software in 2020 is probably still fresh in the minds of many readers. Now the Semperis security research team has discovered a new variant of "golden SAML", an attack technique that exploits the SAML authentication protocol and was used against Solarwinds by the hacker group Nobelium in 2020. The attack technique is known as "Silver SAML".

In 2020, a hack of numerous (US) authorities and companies via Solarwinds software caused quite a stir (see US Treasury and US NTIA hacked). Security researchers first publicly described the attack vector known as "golden SAML" back in 2017 (see Accusation: Microsoft failed with security in the SolarWinds hack).

Now the Semperis security research team has discovered a new variant of "golden SAML", an attack technique that exploits the SAML authentication protocol and was used against Solarwinds by the hacker group Nobelium in 2020.

Golden SAML

Golden SAML was used in the 2020 cyberattack on Solarwinds, the most sophisticated nation-state hack in history to date. The hacking group Nobelium, also known as Midnight Blizzard or Cozy Bear, injected malicious code into Solarwinds' Orion IT management software, infecting thousands of organizations, including the U.S. government. Following this attack, the Cybersecurity Infrastructure Security Agency (CISA) recommended that organizations with hybrid identity environments switch SAML authentication to a cloud identity system such as Entra ID.

Silver SAML

The newly discovered Silver SAML vulnerability can be exploited even if organizations have followed the security recommendations to protect against Golden SAML. Silver SAML allows threat actors to abuse the authentication protocol SAML (Security Assertion Markup Language) to launch attacks from an identity provider such as Entra ID against applications that use SAML for authentication, such as Salesforce.

Protection against Silver SAML attacks

To effectively protect against Silver SAML attacks in Entra ID, organizations should only use self-signed Entra ID certificates for SAML signing. Organizations should also restrict ownership of applications in Entra ID. They should also watch for changes to SAML signing keys, especially if the key is not about to expire.

"After the Solarwinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (then Azure AD) would protect against SAML response forgery, also known as Golden SAML. Unfortunately, full protection from this type of attack is more nuanced – when organizations move certain certificate management practices from Active Directory Federation Services to Entra ID, the applications in their inventory are still vulnerable to SAML response forgery, which we refer to as Silver SAML," said Eric Woodruff, researcher at Semperis.

Semperis researchers classify the Silver SAML vulnerability as a moderate risk for organizations. However, should Silver SAML be used to gain unauthorized access to business-critical applications and systems, the risk could increase to a severe level depending on the system under attack. Semperis provides more information on the Silver SAML vulnerability in this blog post.

New variant of the Solarwinds attack technique discovered in 2020

Golden SAML

Silver SAML

Protection against Silver SAML attacks

Leave a Reply Cancel reply

Blogs

Links

Social networks

Awards

Sponsors

Recent Comments

Recent Comments

Meta