Threat Actors Can Gain Access to Cloud Apps Using Golden SAML Attack

A variation of the “Golden Ticket” attack technique, dubbed “Golden SAML,” allows threat actors to forge authentication requests and access company’s cloud-based apps that use SAML-compatible domain controllers for authentication of users. If a threat actor compromises a company’s domain controller and gains administrative access, they can use tools, such as Mimikatz, to extract the Identity Provider’s (IdP) private key used to sign authentication tokens. They can then pose as the IdP and use the private key to authenticate against any of the company’s cloud-based apps. This attack can be launched from anywhere, including outside the target’s network, and can bypass password resets and two-factor authentication. Additionally, threat actors can execute Golden SAML attacks to issue tokens with any privileges and impersonate any user on the targeted application. The target company will need to change the token-signing private key to revoke the actor’s access. The NJCCIC recommends all administrators of networks using SAML-compatible domain controllers for their cloud-based apps review the research by CyberArk, use the CyberArk tool to determine if their current security systems detect Golden SAML attacks, and rotate token-signing private keys periodically to limit the time an attacker can successfully exploit a stolen key. The NJCCIC makes no claim as to the effectiveness of the CyberArk tool and users are advised to exercise caution when downloading and installing any software from the internet.