Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang

Chief security adviser Roger Halbheer says best protection is to 'get off AD FS'

Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group.

The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, exfiltrating credentials, configuration databases, decrypted token-signing and token-decryption certificates, and to download additional components to set up a permanent backdoor and attack the network more widely.

"Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations," Ramin Nafisi, Microsoft Threat Intelligence Centre researcher, wrote in an analysis of the malware.

"FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS."

Systems compromised by the malware will leak credentials and other private data, Microsoft has confirmed, while providing attackers with a remote-controlled backdoor into the server – with a command-and-control system cleverly disguised as HTTP GET and POST requests.

"Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools," Nafisi explained. "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components."

Nobelium, which is believed to be linked to the Russian government, has been fingered for the 2020 attack on SolarWinds' Orion IT monitoring platform, which was then used as a jumping-off point to infiltrate US government networks – including the US courts system.

More recently the group succeeded in a phishing attack on Microsoft's support desk, retrieving private customer data which the company confirmed included "information regarding... Microsoft Services subscriptions" and was used "in some cases" to launch further "highly-targeted attacks as part of [a] broader campaign."

"Protecting AD FS servers is key to mitigating Nobelium attacks," Nafisi concluded in his report. "Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains."

To help, the company has published a best practices guide which includes restricting account rights to AD FS access, requiring the use of multi-factor authentication (MFA), using host firewalls to limit on-network access, and the suggestion to "remove unnecessary protocols and Windows features."

The FoggyWeb malware is detected in Microsoft Defender Antivirus as Trojan:Win32/FoggyWeb.A!dha and Trojan:MSIL/FoggyWeb.A!dha for the loader and backdoor respectively, while the security report has additional indicators of compromise (IOCs) and a hunting query for Microsoft Defender for Endpoint.

In a message posted to his personal Twitter account, Microsoft chief security adviser Roger Halbheer had a brief and somewhat eyebrow-raising piece of additional advice: "Why are there still AD FS servers without HSM [Hardware Security Modules]? Best would be to get off AD FS but if you still use it, move your keys to an HSM."

Microsoft confirmed that it has evidence of FoggyWeb in active use since at least April this year, and that it has contacted all those customers it found to be "targeted or compromised by this activity" – but did not respond to a request for comment on how many infections it had found nor their geographic distribution in time for publication. ®

Broader topics

Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022