Discover and read the best of Twitter Threads about #GoldenSAML
Most recents (3)
1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)
3/ @CISAgov recommends protecting such secrets with hardware (HSM), but this solution is not always feasible, does not scale well and is susceptible to vulnerabilities especially when facing #APT attackers (hence: "aggressively updated")
media.defense.gov/2020/Dec/17/20…
media.defense.gov/2020/Dec/17/20…
Abusing #ADFS for #GoldenSAML attack, heavily used by #Sunburst attackers.
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)
Slides: slideshare.net/DouglasBiensto…
1/ could it be that #SUNBURST introduced #SUPERNOVA, but only to victims of interest (not the whole 18K)?
Abusing #Solarwinds Orion vulns with #SUPERNOVA , attackers can bypass auth and get access to Orion.
From there they get access to cloud cert to Sign #GoldenSAML
Abusing #Solarwinds Orion vulns with #SUPERNOVA , attackers can bypass auth and get access to Orion.
From there they get access to cloud cert to Sign #GoldenSAML
2/ If so this explains a lot:
It means no mysterious second actor as originally claimed by Microsoft reducing the complexity of this story
microsoft.com/security/blog/…
It means no mysterious second actor as originally claimed by Microsoft reducing the complexity of this story
microsoft.com/security/blog/…
3/ it explains why the #SUPERNOVA webshell was not signed (because it's not part of the backdoor payload, but introduced later)
And finally, it tightly connects the method of entry to the #GoldenSAML post exploitation.
And finally, it tightly connects the method of entry to the #GoldenSAML post exploitation.
