The modern world’s ransomware and malware plight doesn’t look like it’ll be going anywhere anytime soon. In fact, it appears that it’s just growing, with hackers adding new tools to their arsenals by the day. Microsoft has now discovered a new malware used by Russian hacker group Nobelium, responsible for last year’s SolarWinds attack, to backdoor Windows domains.
Microsoft’s Malware Menace
Microsoft’s Threat Intelligence Center (MSTIC) has named the malware ‘FoggyWeb’. It is apparently a backdoor that allows hackers to access and steal admin credentials for Active Directory Federation Services servers. This in turn gives them access to the Security Assertion Markup Language (SAML) token and thus gives them access to a number of subsequent resources.
“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” reports MSTIC.
Microsoft has already notified customers that have potentially been compromised by FoggyWeb, and advises that any organisation worried that it may have been hacked:
- audit its on-premises and cloud infrastructures, and its forwarding rules, per-user and per-app settings, configuration, and investigate any other changes that may indicate infiltration
- remove user and app access and issue updated, stronger credentials
- Use a hardware security module to prevent FoggyWeb from snagging AD FS server information.
FoggyWeb is the newest addition to Nobelium’s expanding toolbox. Microsoft reports that the group has used a number of other malware components in the past, such as Sunburst, Teardrop, GoldMax, GoldFinder and Sibot.
