Microsoft has warned that Nobelium, the hackers behind the infamous SolarWinds fiasco, have uncovered a novel technique to violate corporate authentication.
In stark contrast to past attacks that leveraged supply chain mechanisms, the new bypass, named "MagicWeb" by Microsoft, abuses admin credentials to gain ascendancy over a network.
RELATED RESOURCE
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
Notably, MagicWeb compromises an enterprise identity system called Active Directory Federation Server (AD FS).
"MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML," explained Microsoft.
From emulating USAID in spear-phishing campaigns to installing a post-compromise backdoor called FoggyWeb that amasses details from AD FS, Microsoft forewarns Nobelium is "highly active”.
Back in April 2021, Nobelium employed FoggyWeb to remotely exfiltrate sensitive information from a compromised AD FS server, while also controlling token-signing and token-encryption certificates.
Drawing a comparison, Microsoft states MagicWeb "goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly". It makes use of SAML x509 certificates that "contain enhanced key usage (EKU) values that specify what applications the certificate should be used for".
"This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary," added Microsoft.
As a precaution, Microsoft recommends enterprises isolate their AD FS infrastructure and limit access to admin accounts, or migrate to Azure Active Directory.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Microsoft under fire for “negligent” security practices in scathing critique by industry execNews Microsoft took more than 90 days to issue a partial fix for a critical Azure vulnerability, researchers found
-
Anonymous Sudan: Who are the hackers behind Microsoft’s cloud outages?News The highly aggressive ‘hacktivist’ group is thought to have links to the pro-Russian Killnet hacker collective
-
Azure AD vulnerability gave attackers backdoor authentication controlNews Secureworks shared its findings with Microsoft in 2022, and the company has since issued changes to improve audit logs
-
The rise of identity-based cyber attacks and how to mitigate themIn-depth If identity-based cyber attacks are successful, they can give hackers the opportunity to infiltrate an entire network
-
2022 Public Sector Identity Index ReportWhitepaper UK Report
-
Modernising identity for a secure, agile hybrid workforceWhitepaper Pave the way towards a modern, secure, efficient, and sustainable hybrid workplac
-
Business customer identity for SaaS apps - simplifiedWhitepaper Accelerate business growth with a scalable enterprise identity solution purpose-built for SaaS apps
-
A comprehensive guide for your Customer Identity Maturity journeyWhitepaper A flexible approach to help any company advance its identity posture
