Microsoft has warned that Nobelium, the hackers behind the infamous SolarWinds fiasco, have uncovered a novel technique to violate corporate authentication.
In stark contrast to past attacks that leveraged supply chain mechanisms, the new bypass, named "MagicWeb" by Microsoft, abuses admin credentials to gain ascendancy over a network.
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
Notably, MagicWeb compromises an enterprise identity system called Active Directory Federation Server (AD FS).
"MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML," explained Microsoft.
From emulating USAID in spear-phishing campaigns to installing a post-compromise backdoor called FoggyWeb that amasses details from AD FS, Microsoft forewarns Nobelium is "highly active”.
Back in April 2021, Nobelium employed FoggyWeb to remotely exfiltrate sensitive information from a compromised AD FS server, while also controlling token-signing and token-encryption certificates.
Drawing a comparison, Microsoft states MagicWeb "goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly". It makes use of SAML x509 certificates that "contain enhanced key usage (EKU) values that specify what applications the certificate should be used for".
"This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary," added Microsoft.
As a precaution, Microsoft recommends enterprises isolate their AD FS infrastructure and limit access to admin accounts, or migrate to Azure Active Directory.
