By Justin Katz Jan 08, 2021 The Cybersecurity and Infrastructure Security Agency says hackers are breaching federal networks by exploiting methods besides the SolarWinds Orion vulnerabilities. "Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Jan 6. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)." SAML tokens having a 24-hour validity period or not containing multi-factor authentication details where expected are examples of these red flags.