Silver SAML: The New Cybersecurity Threat to Watch Out For

In the ever-evolving cybersecurity landscape, threat actors have unveiled a menacing new technique called “Silver SAML.” This method, akin to the famed “Golden SAML” tactic, enables attackers to bypass robust defenses by forging SAML authentication objects, thus gaining unauthorized access to a myriad of applications and services. Not dependent on the compromise of Active Directory Federation Services (AD FS), “Silver SAML” specifically targets systems that accept externally generated SAML signing certificates. The gutsy move? It avoids the need to breach Entra ID.

Delving deeper, the “Golden SAML” attack, as identified by CyberArk, worked by stealthily extracting signing certificates from AD FS to manufacture authentic-looking SAML responses. In contrast, “Silver SAML” strikes directly at applications, sidestepping the actual compromise of the Entra ID. This cunning approach exploits the fact that Azure AD and other identity providers accept these forged responses, a significant oversight that threatens security protocols once deemed unassailable.

To illustrate the potential perils of “Silver SAML,” researchers at Semperis, a company heralding its place in the top echelons of cybersecurity innovation, crafted the “SilverSAMLForger,” a proof-of-concept tool. It demonstrates the feasible spoofing of SAML responses using externally generated certificates, ringing alarms about the essential need to tightly secure these credentials.

Critically, Azure Key Vault—one of the vaults where these precious keys may reside—may sit vulnerable to attackers scheming to snatch SAML assertion or response signing keys. Subsequently, organizations that rely on these mechanisms must enhance their guard by securing externally generated certificates to avert any exploitation attempts. Notably, this type of cyber assault carries a varied impact, contingent on the application landscape of a business and its dependence on Entra ID for federation.

Semperis emphasizes the urgency for firms to transfer SAML authentication duties to cloud systems such as Entra ID, post-SolarWinds debacle. This is essential to combat not just “Silver SAML” but also the entire spectrum of external certificate vulnerabilities that may compromise SAML security within organizations. Moreover, it is crucial to focus on secure management practices for resources like signing certificates.

For stakeholders in the realm of cybersecurity, pinpointing and implementing defense strategies is now a high priority. Organizations must consider steps, including stringent monitoring, meticulous auditing, and potentially, an overhaul to OpenID Connect. As security professionals wrestle with Silver SAML’s intricacies, it is incumbent upon them to ensure the collective fortitude of our cyber defenses against this new, shadowy foe.