Microsoft
has
tracked
down
a
sophisticated
authentication
bypass
for
Active
Directory
Federated
Services
(AD
FS),
pioneered
by
the
Russia-linked
Nobelium
group.
The
malware
that
allowed
the
authentication
bypass
—
which
Microsoft
called
MagicWeb
—
gave
Nobelium
the
ability
to
implant
a
backdoor
on
the
unnamed
customer’s
AD
FS
server,
then
use specially
crafted
certificates
to
bypass
the
normal
authentication
process.
Microsoft
incident
responders
collected
data
on
the
authentication
flow,
capturing
the
authentication
certificates
used
by
the
attacker,
and
then
reverse-engineered
the
backdoor
code.
The
eight
investigators
were
not
focused
“so
much
[on]
a
whodunit
as
a
how-done-it,”
Microsoft’s
Detection
and
Response
Team
(DART)
stated
in
its
Incident
Response
Cyberattack
Series
publication.
“Nation-state
attackers
like
Nobelium
have
seemingly
unlimited
monetary
and
technical
support
from
their
sponsor,
as
well
as
access
to
unique,
modern
hacking
tactics,
techniques,
and
procedures
(TTPs),”
the
company
stated.
“Unlike
most
bad
actors,
Nobelium
changes
their
tradecraft
on
almost
every
machine
they
touch.”
The
attack
underscores
the
increasing
sophistication
of
APT
groups,
which
have
increasingly
targeted
technology
supply
chains,
such
as
the
SolarWinds
breach,
and
identity
systems.
A
“Masterclass”
in
Cyber
Chess
MagicWeb
used
highly
privileged
certifications
to
move
laterally
through
the
network
by
gaining
administrative
access
to
an
AD
FS
system.
AD
FS
is
an
identity
management
platform
that
offers
a way
of
implementing
single
sign-on
(SSO)
across
on-premises
and
third-party
cloud
systems.
The
Nobelium
group
paired
the
malware
with
a
backdoor
dynamic
link
library
(DLL)
installed
in
the
Global
Assembly
Cache,
an
obscure
piece
of
.NET
infrastructure,
Microsoft
said.
MagicWeb,
which
Microsoft
first
described
in
August
2022,
was
built
on
previous
post-exploitation
tools,
such
as
FoggyWeb,
which
could
steal
certificates
from
AD
FS
servers.
Armed
with
these,
the
attackers
could
make
their
way
deep
into
organizational
infrastructure,
exfiltrating
data
along
the
way,
breaking
into
accounts,
and
impersonating
users.
The
level
of
effort
needed
to
uncover
the
sophisticated
attack
tools
and
techniques
shows
that
the
upper
echelons
of
attackers
require
companies
to
be
playing
their
best
defense,
according
to
the
Microsoft.
“Most
attackers
play
an
impressive
game
of
checkers,
but
increasingly
we
see
advanced
persistent
threat
actors
playing
a
masterclass-level
game
of
chess,”
the
company
stated.
“In
fact,
Nobelium
remains
highly
active,
executing
multiple
campaigns
in
parallel
targeting
government
organizations,
non-governmental
organizations
(NGOs),
intergovernmental
organizations
(IGOs),
and
think
tanks
across
the
US,
Europe,
and
Central
Asia.”
Limit
Privileges
for
Identity
Systems
Companies
need
to
treat
AD
FS
systems
and
all
identity
providers
(IdPs)
as
privileged
assets
in
the
same
protective
tier
(Tier
0)
as
domain
controllers,
Microsoft
stated
in
its
incident
response
advisory.
Such
measures
limit
who
can
access
those
hosts
and
what
those
hosts
can
do
on
other
systems.
In
addition,
any
defensive
techniques
that
raise
the
cost
of
operations
for
cyberattackers
can
help
prevent
attacks,
Microsoft
stated.
Companies
should
use
multifactor
authentication
(MFA)
across
all
accounts
throughout
the
organization
and
make
sure
they
monitor
the
authentication
data
flows
to
have
visibility
into
potential
suspicious
events.
About Author
