New vulnerability dubbed Silver SAML can be exploited even if organizations follow the security recommendations meant to defend against Golden SAML

HOBOKEN, NJ–February 29, 2024–Semperis, a pioneer in identity-driven cyber resilience, today announced that its security research team has discovered a new variant of the notorious Golden SAML attack technique and dubbed it Silver SAML. Using Silver SAML, threat actors could exploit SAML to launch attacks from an identity provider like Entra ID against applications configured to use the protocol for authentication, such as Salesforce.

Golden SAML was used post breach in the 2020 SolarWinds cyberattack, to move laterally within the company’s network. Threat group Nobelium, aka Midnight Blizzard/ Cozy Bear, deployed malicious code into SolarWinds’ Orion IT management software, infecting nearly 100 organizations, including the U.S. Government. The attack is the most sophisticated nation-state hack in history. In the wake of the attack, the Cybersecurity Infrastructure Security Agency (CISA) encouraged organizations with hybrid identity environments to move SAML authentication to a cloud identity system such as Entra ID.

Safeguarding Against Silver SAML Attacks

To safeguard effectively against Silver SAML attacks in Entra ID, organizations should use only Entra ID self-signed certificates for SAML signing purposes. Organizations should also limit who has ownership over applications in Entra ID and monitor for changes to SAML signing keys, especially if the key is not near its expiration.

“In the aftermath of the SolarWinds cyberattack, Microsoft and others, including CISA, stated that moving to Entra ID (Azure AD at the time) would protect you from SAML response forging, aka Golden SAML. Unfortunately, full protection from these types of attacks is more nuanced. If organizations carry certain ‘bad habit’ certificate management practices from Active Directory Federation Services to Entra ID, the applications in their estate are still susceptible to SAML response forging, which we dubbed Silver SAML,” said Eric Woodruff, Semperis researcher.

Semperis researchers rate the Silver SAML vulnerability as a MODERATE risk to organizations. However, depending on the compromised system, should Silver SAML be used to gain unauthorized access to business-critical applications and systems, the risk level could rise to a SEVERE level.

To learn more about the Silver SAML vulnerability, visit: https://www.semperis.com/blog/meet-silver-saml/

About Semperis  

Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments from cyberattacks, data breaches, and operational errors. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta, Semperis’ patented technology protects 100+ million identities across government agencies and the world’s leading enterprises.    

As part of its mission is to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast and free identity security tools Purple Knight and Forest Druid. Semperis is a privately-owned, international company headquartered in Hoboken, New Jersey, with customers in more than 40 countries.  

Learn more: https://www.semperis.com  

Follow us: Blog / LinkedIn / X / Facebook / YouTube 

Media Contact:

Bill Keeler

Sr Director, PR & Comms

billk@semperis.com