Cybersecurity researchers have unveiled a new attack method dubbed Silver SAML, capable of bypassing defenses against Golden SAML attacks.
Silver SAML allows exploitation of the Security Assertion Markup Language (SAML) to launch attacks from an identity provider like Entra ID against applications configured for SAML authentication, such as Salesforce, according to Semperis researchers Tomer Nahum and Eric Woodruff.
Golden SAML, documented by CyberArk in 2017, involves abusing the SAML standard to impersonate any identity within an organization, granting attackers unauthorized access to services with any privileges, while remaining stealthy.
“Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” noted security researcher Shaked Reiner.
Although real-world attacks using Golden SAML have been rare, instances include the compromise of SolarWinds infrastructure to gain administrative access and an Iranian threat actor using it to access cloud resources without requiring a password.
The Silver SAML attack, a variant of Golden SAML, operates within an identity provider such as Microsoft Entra ID (formerly Azure Active Directory) and does not necessitate access to the Active Directory Federation Services (AD FS). It has been classified as a moderate-severity threat.
“Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user,” the researchers explained.
While there is no evidence of Silver SAML being exploited in the wild, organizations are advised to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also released a proof-of-concept (PoC) called SilverSAMLForger to create custom SAML responses.
“Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement,” the researchers recommended. “Implementing change control processes to document the rotation can help to minimize confusion during rotation events.”
