Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is actively used by the Nobelium threat actor group.
The FoggyWeb malware, Microsoft said, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, exfiltrate credentials, configuration databases, decrypted token signing and decryption certificates, and to download additional components to configure a permanent backdoor and attack the network more broadly.
“Because FoggyWeb is loaded in the same application domain as AD FS managed code, it obtains programmatic access to legitimate AD FS classes, methods, properties, fields, objects, and components which are then leveraged by FoggyWeb to facilitate its malicious operations, “Ramin Nafisi, researcher at the Microsoft Threat Intelligence Center, wrote in an analysis of the malware.
“FoggyWeb is also independent of the AD FS version; it does not need to keep track of legacy and modern configuration table names and schemas, named pipe names, and other AD FS version dependent properties.
Systems compromised by the malware will disclose credentials and other private data, Microsoft confirmed, while providing attackers with a remote-controlled backdoor into the server – with a command and control system cleverly disguised as HTTP GET requests. and POST.
“Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using malware and sophisticated tools,” said explained Nafisi. “Nobelium uses FoggyWeb to remotely exfiltrate the compromised AD FS server configuration database, decrypted token signing certificate and token decryption certificate, as well as to download and run additional components.”
Nobelium, which is said to be linked to the Russian government, has been singled out for the 2020 attack on SolarWinds’ Orion computer monitoring platform, which was then used as a jumping off point to infiltrate U.S. government networks – y including the American legal system.
Most recently, the group managed a phishing attack on Microsoft’s help desk, recovering private customer data that the company said included “information about … Microsoft service subscriptions” and was used. ” in some cases “to launch other” highly targeted attacks as part of [a] wider campaign. “
“Protecting AD FS servers is essential to mitigate Nobelium attacks,” Nafisi concluded in his report. “Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains. “
To help, the company released a best practices guide that includes restricting account rights to AD FS access, requiring the use of multi-factor authentication (MFA), the use of host firewalls to limit access to the network and the suggestion to “remove Windows protocols and features.”
FoggyWeb malware is detected in Microsoft Defender Antivirus as Trojan: Win32 / FoggyWeb.A! Dha and Trojan: MSIL / FoggyWeb.A! Dha respectively for loader and backdoor, while the security report contains additional indicators of compromise (IOC) and a hunt query for Microsoft Defender for Endpoint.
In a message posted on his personal account Twitter Account, Microsoft Chief Security Advisor Roger Halbheer gave one more brief and somewhat mind-boggling piece of advice: “Why are there still AD FS servers without HSMs?” [Hardware Security Modules]? Your best bet would be to quit AD FS, but if you’re still using it, move your keys to an HSM. “
Microsoft has confirmed that it has had evidence of active use of FoggyWeb since at least April of this year, and that it has contacted all customers that it considers to be “targeted or compromised by this activity” – but not did not respond to a request for comment on how many infections he had found or their geographic distribution in time for publication. ®