Researchers at CyberArk Labs have created a post-intrusion attack technique known as a Golden SAML that could allow an attacker to fake enterprise user identities and forge authentication to gain access to valuable cloud resources in a federation environment.
“Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” according to CyberArk Labs who revealed the attack technique this week.
Researchers said this Golden SAML attack technique mirrors in many ways how the notorious Golden Ticket attacks work.
“The name resemblance is intended, since the attack nature is rather similar. Golden SAML introduces to a federation the advantages that Golden Ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency,” according to a CyberArk Labs.
Golden Ticket is a type of attack against an IT infrastructure’s authentication protocols. Similar to Pass-the-Hash, Overpass-the-Hash and Pass-the-Ticket, a Golden Ticket attack is considered the most invasive because it provides an adversary with unrestricted access and control of an IT landscape via manipulation of the Windows Server Kerberos authentication framework.
Instead of targeting the Windows Server Kerberos, a Golden SAML attack leverages the Security Assertion Markup Language 2.0 (SAML) protocol. SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.
“Golden SAML poses serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” researchers wrote.
To read the original article: