Golden SAML attack, if you remember SolarWinds attack that affected organizations around the world that deployed malicious code into Orion IT management and monitoring software.
To mitigate or overcome this, CISA recommended hybrid environment organizations to move to a cloud identity system such as Entra ID.
Golden SAML authentication is well-known for its extraction of signing certificates from Active Directory Federation Services and using them to forge SAML authentication responses.
The Silver SAML attack does not use the ADFS in Microsoft Entra ID.
Suppose an attacker obtains the private key of an externally generated certificate. In that case, the attacker can forge any SAML response as they please and sign the response with the same private key that Entra ID holds. If this attack is successful, the attacker can gain access to the application as any user.
In the same line, there is a new technique dubbed. Silver SAML has been discovered, which could bypass security recommendations and exploit Entra ID using applications. This Silver SAML authentication can be used to gain unauthorized access to business-critical applications that pose a SEVERE risk.
In general, Entra ID is used by several organizations that use SAML for authenticating into applications, and it uses a self-signed certificate for SAML response signing. Additionally, organizations can also use externally generated certificates to sign the SAML.
The main issue with the SAML and signing certificates is that most organizations do not correctly manage signing certificates, and the SAML security is weakened as they use externally signed certificates.
Even these externally signed certificates are also used to send certificate PFX files and passwords using insecure channels like Teams or Slack. Organizations that use Azure Key Vault, a secure place to store self-signed certificates, can also be infiltrated and extracted the keys.
To launch the attack in a Service Provided initiated flow, a threat actor needs to intercept the SAML request and replace the contents of the SAML response with a forged SAML response which could be done using an intercepting proxy such as Burp Suite.
For exploitation, some of the SAML claims information such as UPN (User Principal Name), surname, firstname, displayName, and objectID need to be collected, which can be done using the Entra admin center or Microsoft Graph API.
With the researchers created tool “SilverSAMLForger”, the required parameters are generated as a base64 and URL encoded output string. This forged SAML response can then be used to replace the SAML response in the intercepted response, making the application log in as a targeted user.
