Microsoft specialists have discovered a new malware from the Nobelium group. The malware is used to deploy additional payloads and steal sensitive information from Active Directory Federation Services (AD FS) servers.
The Nobelium hack group (aka APT 29, Cozy Bear, or The Dukes) is believed to be tied to the Russian government and is credited with being responsible for the SolarWinds hack, one of the largest supply chain attacks in history.
The malware, now discovered by Microsoft Threat Intelligence Center experts, is called FoggyWeb and is a “passive and highly targeted” backdoor that abuses Security Assertion Markup Language (SAML) tokens. This tool has been in use since April 2021 and has been helping attackers remotely extract sensitive information from compromised AD FS servers by configuring HTTP levers for specific URIs to intercept GET and POST requests sent to the AD FS server.
“After obtaining credentials and successfully compromising the server, Nobelium uses the gained access to gain a foothold in the system and deepen the infiltration using sophisticated malware and tools.
Nobelium uses FoggyWeb to remotely retrieve the configuration database of compromised AD FS servers, decrypt token-signing certificates and token-decryption certificates, and download and execute additional components. Also, FoggyWeb can receive additional malicious components of the C&C server and run them on a compromised server, ”says Microsoft.
To protect against such attacks, experts advise paying attention to the security of AD FS servers in general, use hardware security modules, and regularly audit on-premises and cloud infrastructure.
Catch up on more stories here
Follow us on Facebook here