New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers used the Golden SAML attack in post-breach exploitation to affect thousands of organizations all over the world including the United States government for deploying malicious code into Orion IT management and monitoring software. 

After the massive cyberattack, CISA recommended hybrid environment organizations to move to a cloud identity system such as Entra ID.

However, a new technique dubbed Silver SAML has been discovered which could bypass security recommendations and exploit Entra ID using applications.

Though this vulnerability has been rated as MODERATE risk to organizations, depending upon the compromised system, this Silver SAML authentication can be used to gain unauthorized access to business-critical applications that pose a SEVERE risk.

Silver SAML Attack

According to the reports shared with Cyber Security News, Entra ID is used by several organizations that use SAML for authenticating into applications.

However, this Entra ID uses a self-signed certificate for SAML response signing. Additionally, organizations can also use externally generated certificates to sign the SAML.

Silver SAML attack workflow (Source: Semperis)

Golden SAML authentication is well-known for its extraction of signing certificates from Active Directory Federation Services and using them to forge SAML authentication responses.

The Silver SAML attack does not use the ADFS in Microsoft Entra ID.

Suppose an attacker obtains the private key of an externally generated certificate. In that case, the attacker can forge any SAML response as they please and sign the response with the same private key that Entra ID holds.

If this attack is successful, the attacker can gain access to the application as any user.

Issue Behind SAML And Signing Certificates

The main issue with the SAML and signing certificates is that most of the organizations do not correctly manage signing certificates.

Additionally, the SAML security is weakened as they use externally signed certificates.

In addition to this, these externally signed certificates are also used to send certificate PFX files and passwords using insecure channels like Teams or Slack.

Even for organizations that use Azure Key Vault, a secure place to store self-signed certificates can also be infiltrated and extracted the keys.

Apart from this, organizations also manage SAML signing certificates externally instead of using the Entra ID.

Performing A Silver SAML Attack

To launch the attack in a Service Provided initiated flow, a threat actor needs to intercept the SAML request and replace the contents of the SAML response with a forged SAML response which could be done using an intercepting proxy such as Burp Suite.

An example of this attack was demonstrated with the test flow by researchers. The SAML response for a user oktaAdministrator@xd6z7.onmicrosoft.com was intercepted.

For exploitation, some of the SAML claims information such as UPN (User Principal Name), surname, firstname, displayName, and objectID need to be collected, which can be done using the Entra admin center or Microsoft Graph API.

Intercepting the SAML response (Source: Semperis)

With the researchers created tool “SilverSAMLForger”, the required parameters are generated as a base64 and URL encoded output string.

This forged SAML response can then be used to replace the SAML response in the intercepted response, making the application log in as a targeted user.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

17 hours ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

2 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

3 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago