[BreachExchange] Microsoft warns of latest malware attack, explains how to avoid secret backdoor

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Sep 29 09:00:07 EDT 2021


https://www.digitaltrends.com/computing/microsoft-warns-of-new-malware-that-creates-secret-backdoor/

Microsoft has recently discovered another type of malware, named FoggyWeb
by Microsoft, that hackers are currently using to remotely steal network
admin credentials. The credentials allow the attacker group, which the
company has called Nobelium, to hack into admin accounts of the Active
Directory Federation Services’ (AD FS) servers and control users’ access to
various resources.

Microsoft claims that this is the same group behind the SolarWinds software
supply chain attack that was revealed in December.

The malware acts as a backdoor for the hackers and facilitates their remote
theft of tokens and certificates from Microsoft’s identity platform.

The newly discovered malware is used by the attackers once the server
they’re targeting has already been compromised in terms of security. The
hacker group uses several tactics to access users’ identities and the
necessary infrastructure that is required to take control of their app
usage.

Ramin Nafisi of the Microsoft Threat Intelligence Center says: “Nobelium
uses FoggyWeb to remotely exfiltrate the configuration database of
compromised AD FS servers, decrypted token-signing certificate, and
token-decryption certificate, as well as to download and execute additional
components”.

“FoggyWeb is a passive and highly targeted backdoor capable of remotely
exfiltrating sensitive information from a compromised AD FS server. It can
also receive additional malicious components from a command-and-control
(C2) server and execute them on the compromised server,” Microsoft adds.

The backdoor that Nobelium manages to get past allows the hacker to access
the Security Assertion Markup Language (SAML) token. This token is for
assisting users to authenticate apps. Hacking the token permits the
attackers to stay inside the network even after regular cleanups. In fact,
according to Microsoft, FoggyWeb has been in use since April 2021.

Microsoft has uncovered a number of modules used by Nobelium. These include
the GoldMax, GoldFinder, and Sibot components. These were built with the
help of other malware that the same group was found guilty of using. These
include Sunburst, Solarigate, Teardrop, and Sunspot.

For people who fall prey to the attack, Microsoft recommends auditing
on-premise and cloud infrastructure for configurations, and per-user and
per-app settings; removing user and app access, reviewing configurations,
and reissuing new, strong credentials; and using a hardware security module
to prevent FoggyWeb from stealing secrets from AD FS servers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210929/1b3952f5/attachment.html>


More information about the BreachExchange mailing list