The attack on SolarWinds Orion, carried out by the threat actor (UNC2452), has been one of the most elaborate on the supply chain, and uncovered one of the most innovative techniques: Golden SAML, now known as Solorigate el what will be the topic of today. In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with the privileges they want and be any user in the target application (even a which does not exist in the app in some cases). At a time when more and more business infrastructure is moving to the cloud, Active Directory (AD) is no longer the ultimate authority for authenticating and authorizing users. AD can now be part of something bigger: a federation.
A federation enables trust between different environments that would not otherwise be related, such as Microsoft AD, Azure, AWS, and many others. This trust enables a user in an AD, for example, to enjoy the benefits of SSO for all trusted environments in that federation. Speaking of a federation, one attacker will no longer be enough to dominate his victim’s domain controller.
SAML’s golden name may remind you of another notorious attack known as Golden Ticket, which was introduced by Benjamin Delpy, known for his famous attack tool called Mimikatz. The similarity of the name is destined, as the nature of the attack is quite similar. Golden SAML presents to a federation the advantages that Golden Ticket offers in a Kerberos environment, from obtaining any type of access to maintaining persistence in a stealthy way. Golden SAML is an attack vector that can offer powerful benefits to attackers, including:
▸Multifactor Authentication Bypass
Using this technique can make the additional layer of security that MFA provides completely useless. Since users obtain a valid SAML token after authenticating using MFA, attackers using Golden SAML go straight to spoofing an identity using the stolen certificate, without having to know the user’s password or other authentication factors. This shows that the sense of security that MFA provides could be false in some cases.
▸Flexibility
Golden SAML allows attackers to impersonate almost any identity they want in the organization. Which benefits them for two reasons. First, because attackers capable of carrying out a Golden SAML attack can gain access to all the services or assets of the organization, as long as it is part of the community, of course, and the second is that if an attacker has the ability to carry out a Golden attack SAML, whatever action you intend to take, you can do it using the identity of a “known” user, which reduces the chances of being detected.
▸Long-term persistence
Passwords are changed every certain period of time, but a SAML token signing certificate is almost never changed. This allows attackers to maintain their access for a long time.
▸Difficulty solving
When an attacker steals a SAML token signing certificate, things get complicated. Because if you try to change the passwords, the attacker can continue creating SAML tokens that impersonate that person, without the need to know the real password.
More reads:
NativeZone – Solarwinds Authors Return
Sunburst – The Biggest Malware on Post-Cold War
