On December 8, 2020, FireEye announced that they had been the subject of a cybersecurity incident. Through their investigation, they discovered the SUNBURST backdoor and notified SolarWinds of the issue just four days later. This backdoor gave attackers access to Orion systems on victim networks, and once you gain control of a system like Orion, you have a ticket to ride. And ride they did.
The attack compromised victims Office365 email accounts. But how did attackers get from the on-prem Orion systems to the Microsoft cloud?
The Golden SAML attack.
Golden SAML is a federated attack that steals the private keys of your ADFS server and uses them to forge a SAML token trusted by your Office 365 environment. This allows the attacker to access any O365 resource available to the impersonated user, including their mailbox.
In this webinar, Brian Coulson, Dan Kaiser, and Sally Vincent threat research engineers from the LogRhythm Labs team will walk through what the Golden SAML attack is and is not, how it works, and how to identify and prevent the attack in your environment. SANS senior instructor, Jake Williams, will join in on the conversation and help answer your questions about supply chain attacks.
It's time to stop gambling with threats like Golden SAML. Register today to learn how to detect and prevent supply chain attacks from threat research experts.
Read the associated whitepaper written by Jake Williams.