April 16, 2024

Feb 29, 2024NewsroomRisk Intelligence / Cyber Risk

Silver SAML Attack

Cybersecurity researchers have disclosed a brand new assault approach known as Silver SAML that may be profitable even in circumstances the place mitigations have been utilized towards Golden SAML assaults.

Silver SAML “allows the exploitation of SAML to launch assaults from an identification supplier like Entra ID towards purposes configured to make use of it for authentication, comparable to Salesforce,” Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker Information.

Golden SAML (brief for Security Assertion Markup Language) was first documented by CyberArk in 2017. The assault vector, in a nutshell, entails the abuse of the interoperable authentication normal to impersonate virtually any identification in a company.

It is also just like the Golden Ticket attack in that it grants attackers the power to achieve unauthorized entry to any service in a federation with any privileges and to remain persistent on this atmosphere in a stealthy method.


“Golden SAML introduces to a federation the benefits that golden ticket presents in a Kerberos atmosphere – from gaining any kind of entry to stealthily sustaining persistency,” safety researcher Shaked Reiner famous on the time.

Actual-world assaults leveraging the tactic have been uncommon, the first recorded use being the compromise of SolarWinds infrastructure to achieve administrative entry by forging SAML tokens utilizing compromised SAML token signing certificates.

Golden SAML has additionally been weaponized by an Iranian risk actor codenamed Peach Sandstorm in a March 2023 intrusion to entry an unnamed goal’s cloud sources sans requiring any password, Microsoft revealed in September 2023.

Silver SAML Attack

The most recent strategy is a spin on Golden SAML that works with an identification supplier (IdP) like Microsoft Entra ID (previously Azure Energetic Listing) and does not require entry to the Energetic Listing Federation Companies (AD FS). It has been assessed as a moderate-severity risk to organizations.

“Inside Entra ID, Microsoft offers a self-signed certificates for SAML response signing,” the researchers mentioned. “Alternatively, organizations can select to make use of an externally generated certificates comparable to these from Okta. Nonetheless, that possibility introduces a safety threat.”

“Any attacker that obtains the non-public key of an externally generated certificates can forge any SAML response they need and signal that response with the identical non-public key that Entra ID holds. With such a cast SAML response, the attacker can then entry the applying — as any person.”

Following accountable disclosure to Microsoft on January 2, 2024, the corporate mentioned the difficulty doesn’t meet its bar for instant servicing, however famous it would take applicable motion as wanted to safeguard prospects.


Whereas there isn’t any proof that Silver SAML has been exploited within the wild, organizations are required to make use of solely Entra ID self-signed certificates for SAML signing functions. Semperis has additionally made accessible a proof-of-concept (PoC) dubbed SilverSAMLForger to create customized SAML responses.

“Organizations can monitor Entra ID audit logs for modifications to PreferredTokenSigningKeyThumbprint below ApplicationManagement,” the researchers mentioned.

“You’ll need to correlate these occasions to Add service principal credential occasions that relate to the service principal. The rotation of expired certificates is a typical course of, so you have to to find out whether or not the audit occasions are respectable. Implementing change management processes to doc the rotation may help to reduce confusion throughout rotation occasions.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.