Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang
Chief security adviser Roger Halbheer says best protection is to 'get off AD FS'
Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group.
The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, exfiltrating credentials, configuration databases, decrypted token-signing and token-decryption certificates, and to download additional components to set up a permanent backdoor and attack the network more widely.
"Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations," Ramin Nafisi, Microsoft Threat Intelligence Centre researcher, wrote in an analysis of the malware.
"FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS."
Systems compromised by the malware will leak credentials and other private data, Microsoft has confirmed, while providing attackers with a remote-controlled backdoor into the server – with a command-and-control system cleverly disguised as HTTP GET and POST requests.
"Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools," Nafisi explained. "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components."
Nobelium, which is believed to be linked to the Russian government, has been fingered for the 2020 attack on SolarWinds' Orion IT monitoring platform, which was then used as a jumping-off point to infiltrate US government networks – including the US courts system.
- Here's 30 servers Russian intelligence uses to fling malware at the West, beams RiskIQ
- Mega-distie SYNNEX attacked and Microsoft cloud accounts it tends tampered
- Security researcher says attacks on Russian government have Chinese fingerprints – and typos, too
- Us? Pwn SolarWinds? With our reputation? Russian spy chief makes laughable denial of supply chain attack
More recently the group succeeded in a phishing attack on Microsoft's support desk, retrieving private customer data which the company confirmed included "information regarding... Microsoft Services subscriptions" and was used "in some cases" to launch further "highly-targeted attacks as part of [a] broader campaign."
"Protecting AD FS servers is key to mitigating Nobelium attacks," Nafisi concluded in his report. "Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains."
To help, the company has published a best practices guide which includes restricting account rights to AD FS access, requiring the use of multi-factor authentication (MFA), using host firewalls to limit on-network access, and the suggestion to "remove unnecessary protocols and Windows features."
The FoggyWeb malware is detected in Microsoft Defender Antivirus as Trojan:Win32/FoggyWeb.A!dha and Trojan:MSIL/FoggyWeb.A!dha for the loader and backdoor respectively, while the security report has additional indicators of compromise (IOCs) and a hunting query for Microsoft Defender for Endpoint.
In a message posted to his personal Twitter account, Microsoft chief security adviser Roger Halbheer had a brief and somewhat eyebrow-raising piece of additional advice: "Why are there still AD FS servers without HSM [Hardware Security Modules]? Best would be to get off AD FS but if you still use it, move your keys to an HSM."
Microsoft confirmed that it has evidence of FoggyWeb in active use since at least April this year, and that it has contacted all those customers it found to be "targeted or compromised by this activity" – but did not respond to a request for comment on how many infections it had found nor their geographic distribution in time for publication. ®