Microsoft has warned of a new FoggyWeb backdoor being used by Nobelium, the same state-sponsored hacking group believed to be responsible for SolarWinds supply-chain attacks.
According to Microsoft, the notorious attacker group Nobelium is using a never-before-seen post-exploitation backdoor that can steal sensitive data from a compromised AD FS (Active Directory Federation Services) server.
What is FoggyWeb?
According to a report from Microsoft Threat Intelligence Center (MSTIC), Nobelium uses a range of new tactics in their new campaign, one of which involves using FoggyWeb backdoor, to gain admin-level access to AD FS servers. Reportedly, FoggyWeb was first discovered in April 2021.
FoggyWeb backdoor is a highly pervasive and targeted backdoor capable of remotely exfiltrating sensitive data, receiving malicious commands from the attacker-controlled C2 server, and executing those on the victim’s server.
“Nobelium uses FoggyWeb backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” wrote Ramin Nafisi from MSTIC.
The following diagram below demonstrates the methodology used by the Nobelium group to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.
Further, the backdoor abuses the Security Assertion Markup Language token, which helps users authenticate to applications quickly.
Microsoft has been following the activities of this group quite closely since then. The recent attacks from Nobelium, as reported by Microsoft, include an email scam campaign impersonating USAID.
“In March 2021, we profiled NOBELIUM’s GoldMax, GoldFinder, and Sibot malware, which it uses for layered persistence.. in May, we analyzed the actor’s early-stage toolset comprising EnvyScout, BoomBox, NativeZone, and VaporRage,” the report read.
Microsoft researchers suggest that customers should perform an audit of cloud and on-premise infrastructure for configurations as well as per-app and per-user settings. They must remove user and app access, re-issue credentials, review configurations, and use hardware security modules to prevent FoggyWeb backdoor from exfiltrating data from AD FS servers.