How to Catch Golden SAML-Type Attacks

How to Catch Golden SAML-Type Attacks

The supply chain attack on SolarWinds exposes the effectiveness of a cyberattack method called “Golden SAML.”

SolarWinds Supply Chain Attack Background

In December 2020, FireEye disclosed its discovery of the supply chain attack on SolarWinds product Orion – monitoring and management platform designed to simplify IT administration.

In the supply chain attack on SolarWinds Orion, attackers gained access to the source code of Orion; maliciously changed the code; and said malicious code was made part of the official updates released to the customers of SolarWinds. The malicious updates allowed the SolarWinds attackers to gain initial access to the networks of the customers of SolarWinds Orion. The attack affected nearly 18,000 customers of SolarWinds Orion.

Among the companies that admitted that they’ve been impacted by the SolarWinds supply chain attack are FireEye and Microsoft. As a result of the SolarWinds supply chain attack, FireEye disclosed that the attackers stole its Red Team assessment tools which leverage known Common Vulnerabilities and Exposures (CVEs) to test and validate clients’ cybersecurity posture. Microsoft, meanwhile, admitted that attackers were able to view the company’s “source code in a number of source code repositories.”

What Is Golden SAML?

Golden SAML is an attack vector that was discovered back in 2017 by CyberArk Labs. One of the attack methods used by the attackers after gaining initial access to the networks of SolarWinds Orion customers is the Golden SAML. The use of Golden SAML in the SolarWinds supply chain attack is the first documented use of Golden SAML since the 2017 discovery.

Golden SAML allows attackers who gained initial access to a victim’s network such as in the case of SolarWinds supply chain attack to maintain persistence and gain access to the different services used by the victim in a convenient and stealth manner. “Golden SAML is a technique that allows attackers, once they got privileged access to the victim’s network, to impersonate almost any identity in the organization and acquire any type of privilege across almost all services of the organization (this depends on what services in the organization use SAML as their authentication protocol),” CyberArk Labs said in the latest blog post "Golden SAML Revisited: The Solorigate Connection .”

As described by CyberArk Labs, Golden SAML is basically a forged SAML. Short for Security Assertion Markup Language, SAML enables web browser Single Sign-On (SSO). SAML 2.0, first introduced in 2005, is the current standard version of the SAML protocol. 

With SSO, a user only has to enter their login credentials once and the user is then given access to cloud services that support SAML authentication such as Microsoft Azure or Amazon Web Services (AWS). “In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases),” CyberArk Labs said.

On the part of an attacker, CyberArk Labs said, Golden SAML has the following advantages:

• It can be generated from practically anywhere. There’s no need to be a part of a domain.
• It’s effective even when two-factor authentication (2FA) is enabled.
• The token-signing private key isn’t renewed automatically.
• Changing a user’s password won’t affect the generated SAML.

To perform the Golden SAML attack, CyberArk Labs said, the following requirements are needed: token-signing private key, IdP public certificate, IdP name, and Role name (role to assume). CyberArk Labs added that in order to get the private key, tools such as Mimikatz can be used.

According to FireEye, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike – a commercial penetration testing tool that’s marketed as a “software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." One of the tools included in Cobalt Strike is Mimikatz, a tool that’s capable of exploiting Windows Single Sign-On (SSO) functionality to harvest credentials.

Even though the Golden SAML has been a known attack vector since 2017, this hasn’t been addressed by the concerned vendors using the SAML 2.0 protocol as Golden SAML isn’t treated as a security vulnerability as an attacker needs to have domain admin access in order to perform it. The case in point is the SolarWinds supply chain attack in which the attackers already gained domain admin access.

According to FireEye, the SolarWinds supply chain attackers were observed targeting on-premises Active Directory Federation Services servers with the goal of obtaining the token-signing certificate to forge SAML tokens. Active Directory Federation Services is a software component developed by Microsoft that runs on Windows Server operating systems to provide users with Single Sign-On access to systems and applications.

Cybersecurity Best Practices

One of the cybersecurity measures to prevent a Golden SAML attack is by deploying a Privileged Access Management (PAM) solution – referring to a solution that helps manage, monitor, and secure privileged access to critical assets. It’s also important to monitor for suspicious SAML tokens such as those with an unusually long life.

In case there’s enough evidence that attackers have already accessed your organization’s Active Directory Federation Services servers, the following steps need to be done:

1. Issue new certificates on the Active Directory Federation Services servers and synchronize them to Azure Active Directory; and
2. Revoke all existing refresh tokens for the Microsoft 365 tenant.