SolarWinds Attackers Develop New FoggyWeb Backdoor

Microsoft has discovered a new post-exploitation backdoor attributed to the SolarWinds attackers, designed to help them gain admin-level access to active directory federation services (AD FS) servers.

Dubbed “FoggyWeb,” the malware has been in use since around April 2021, allowing the Russian-linked APT group known as Nobelium (aka APT29) to steal info from compromised servers and receive and execute additional malicious code.

AD FS are on-premises servers that support single sign-on (SSO) for cloud applications used in Microsoft environments. They, therefore, represent an attractive target for data thieves on the hunt for sensitive information.

“Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools,” explained Ramin Nafisi, senior software security engineer at Microsoft.

“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”

Microsoft has informed all customers currently being targeted by the malware, but it urged others who suspect they may be a victim to audit their entire on-premises and cloud infrastructure, to look for changes the threat actors may have made to maintain persistence.

It also recommended organizations remove user and app access and issue new, strong credentials. They should also use a hardware security module (HSM) to prevent the exfiltration of sensitive info by FoggyWeb, said Nafisi.

He listed multiple suggested techniques to harden and secure AD FS ..

Support the originator by clicking the read the rest link below.