Discover and read the best of Twitter Threads about #GoldenSAML

Most recents (3)

1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)
3/ @CISAgov recommends protecting such secrets with hardware (HSM), but this solution is not always feasible, does not scale well and is susceptible to vulnerabilities especially when facing #APT attackers (hence: "aggressively updated")
media.defense.gov/2020/Dec/17/20…
Read 8 tweets
Abusing #ADFS for #GoldenSAML attack, heavily used by #Sunburst attackers.
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)
Read 4 tweets
1/ could it be that #SUNBURST introduced #SUPERNOVA, but only to victims of interest (not the whole 18K)?
Abusing #Solarwinds Orion vulns with #SUPERNOVA , attackers can bypass auth and get access to Orion.
From there they get access to cloud cert to Sign #GoldenSAML
2/ If so this explains a lot:
It means no mysterious second actor as originally claimed by Microsoft reducing the complexity of this story
microsoft.com/security/blog/…
3/ it explains why the #SUPERNOVA webshell was not signed (because it's not part of the backdoor payload, but introduced later)
And finally, it tightly connects the method of entry to the #GoldenSAML post exploitation.
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!