Sunday, November 17, 2024
HomeCVE/vulnerabilityNew Silver SAML Attack Let Attackers Forge Any SAML Response To Entra...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

Published on

SolarWinds cyberattack was one of the largest attacks of the century in which attackers used the Golden SAML attack in post-breach exploitation to affect thousands of organizations all over the world including the United States government for deploying malicious code into Orion IT management and monitoring software. 

After the massive cyberattack, CISA recommended hybrid environment organizations to move to a cloud identity system such as Entra ID.

However, a new technique dubbed Silver SAML has been discovered which could bypass security recommendations and exploit Entra ID using applications.

- Advertisement - SIEM as a Service

Though this vulnerability has been rated as MODERATE risk to organizations, depending upon the compromised system, this Silver SAML authentication can be used to gain unauthorized access to business-critical applications that pose a SEVERE risk.

Silver SAML Attack

According to the reports shared with Cyber Security News, Entra ID is used by several organizations that use SAML for authenticating into applications.

However, this Entra ID uses a self-signed certificate for SAML response signing. Additionally, organizations can also use externally generated certificates to sign the SAML.

Silver SAML attack workflow (Source: Semperis)

Golden SAML authentication is well-known for its extraction of signing certificates from Active Directory Federation Services and using them to forge SAML authentication responses.

The Silver SAML attack does not use the ADFS in Microsoft Entra ID.

Suppose an attacker obtains the private key of an externally generated certificate. In that case, the attacker can forge any SAML response as they please and sign the response with the same private key that Entra ID holds.

If this attack is successful, the attacker can gain access to the application as any user.

Issue Behind SAML And Signing Certificates

The main issue with the SAML and signing certificates is that most of the organizations do not correctly manage signing certificates.

Additionally, the SAML security is weakened as they use externally signed certificates.

In addition to this, these externally signed certificates are also used to send certificate PFX files and passwords using insecure channels like Teams or Slack.

Even for organizations that use Azure Key Vault, a secure place to store self-signed certificates can also be infiltrated and extracted the keys.

Apart from this, organizations also manage SAML signing certificates externally instead of using the Entra ID.

Performing A Silver SAML Attack

To launch the attack in a Service Provided initiated flow, a threat actor needs to intercept the SAML request and replace the contents of the SAML response with a forged SAML response which could be done using an intercepting proxy such as Burp Suite.

An example of this attack was demonstrated with the test flow by researchers. The SAML response for a user oktaAdministrator@xd6z7.onmicrosoft.com was intercepted.

For exploitation, some of the SAML claims information such as UPN (User Principal Name), surname, firstname, displayName, and objectID need to be collected, which can be done using the Entra admin center or Microsoft Graph API.

Intercepting the SAML response (Source: Semperis)

With the researchers created tool “SilverSAMLForger”, the required parameters are generated as a base64 and URL encoded output string.

This forged SAML response can then be used to replace the SAML response in the intercepted response, making the application log in as a targeted user.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...