New Malicious Variant Uncovered in 2020 SolarWinds Breach Attack Technique

Z Patel

What’s Happening & Why This Matters

Semperis, a cybersecurity firm, recently discovered an exploit called Silver SAML, a new version of Golden SAML, which poses a significant risk to organizations that use SAML for authentication, such as Salesforce. Initially, Golden SAML was used in the SolarWinds cyberattack in 2020, affecting thousands of organizations, including the U.S. Government. Following this attack, the Cybersecurity Infrastructure Security Agency (CISA) recommended that organizations move SAML authentication to a cloud identity system, such as Entra ID, as a security measure.

SolarWinds breach – Krebs on Security
2020 Solarwinds vulnerability timeline. IMAGE: Krebs on Security

To protect against Silver SAML attacks in Entra ID, organizations should only use Entra ID self-signed certificates for SAML signing purposes, limit who has ownership over applications in Entra ID, and monitor changes to SAML signing keys. According to Eric Woodruff, a Semperis researcher, despite the belief that moving to certain identity systems would provide complete protection against these types of attacks, the applications are still vulnerable to Silver SAML if the organizations carry bad certificate management practices from previous systems.

TF Summary: What’s Next

Semperis researchers rate the Silver SAML vulnerability as a moderate risk to organizations but suggest that depending on the compromised system, it could reach a severe level. Semperis is committed to protecting enterprise identity services in hybrid and multi-cloud environments and offers various cyber community resources. They offer hybrid identity protection tools and are a key player in the cybersecurity industry, hosting valuable resources for cyber protection.

Three Things the SolarWinds Supply Chain Attack Can Teach Us
Learns learned from SolarWinds attack. IMAGE: Aeolus

Share This Article
Avatar photo
By Z Patel “TF AI Specialist”
Background:
Zara ‘Z’ Patel stands as a beacon of expertise in the field of digital innovation and Artificial Intelligence. Holding a Ph.D. in Computer Science with a specialization in Machine Learning, Z has worked extensively in AI research and development. Her career includes tenure at leading tech firms where she contributed to breakthrough innovations in AI applications. Z is passionate about the ethical and practical implications of AI in everyday life and is an advocate for responsible and innovative AI use.
Leave a comment