Posted on September 29, 2021 at 7:58 AM
The same hacking group who have made a name for themselves attacking the SolarWinds supply chain have again been spotted using an entirely different backdoor.
According to the Microsoft Threat Intelligence Center investigators, the Nobelium threat attackers employ malware that provides them with remote access. The malware is called “FoggyWeb”. This piece of accessory gives them tenacity on vulnerable Active Directory servers. This attack follows a system vulnerability that had been spotted more than five months ago.
In a statement released by Ramin Nafisi about FoggyWeb, an investigator from Microsoft, the backdoor is only a section of a long process towards the acquisition of credentials of users. These are then used by Nobelium threat attackers in moving across networks to get their hands on even more valuable data.
Once they had used bug exploitations to compromise servers belonging to the Active Directory Federation Services, the hacking group then planted the backdoor as a means to providing them with unrestricted access to the server. This is when now they acquire the data through remote access.
FoggyWeb backdoor is an encrypted backdoor positioned at the peripherals of loading applications structured to take the form of safe and recognized windows DLL. Having loaded the backdoor, it works with the same privileges as does the system administrator. FoggyWeb can also be looked at as being an AD FS version-agnostic. This means that it needs not to monitor legacy against updated configurations.
The Microsoft investigator has also elaborated that the server is automatically compromised with Nobelium in possession of the user credentials. The attackers can, at this point, capitalize on this access in maintaining unrestricted access and going further to access more credentials with the use of complex malware and related accessories.
The group takes advantage of this backdoor to take out the database responsible for the Active Directory Federation Services’ system configuration that has now been compromised. With such access, they can dig deeper to acquire private token-signing permissions and decrypting the tokens, among other more critical parts of the system.
Nobelium threat attackers
The general feeling is that Nobelium is supported by the Russian government. The group known as Cozy Bear or APT29 has been associated with last year’s hacking of SolarWinds, among other network attacks that came after the SolarWinds incident. Their attacks have all been credited to the backdoor within SolarWinds’ information technology management platform, Orion.
This notorious hacking group has been operational for more than five years. While SolarWinds qualifies as one of their biggest attacks, the group is linked to various other dreadful attacks, including the infiltration of the Democratic National Committee in 2016.
Their latest attack enabled by the FoggyWeb backdoor stands out because this is a new malware compared to their signature Sunburst malware used in executing the attack against SolarWinds. Sunburst also helped them with the attacks against networks such as Goldmax. As this team takes pride in the support they get from Kremlin, they do not depend on stored hacking accessories. They have the means and capacity to develop their own tools.
Insights from researchers prove that Nobelium is fueled by notable operational resources that are normally shown during their campaigns, such as the custom-designed malware and hacking infrastructure.
The Microsoft investigator also revealed several pointers of existing vulnerabilities that FoggyWeb backdoor could take advantage of. Among these include the server configurations of the Active Directory Federation Services, queries used in hunting and detection concerning security products. With admin-level access to whichever system they hack, Nobelium can exfiltrate extensive loads of data belong to the victim of the attack, as well as their client base. This is what they did to the servers of the Active Directory Federation Services.
In the Democratic National Committee case, the case was so extreme that it became a lawsuit with the claim that Russian threat attackers had tried to breach their systems. The warning by Microsoft should therefore be taken very seriously. They disclosed a newly designed tool used by the hacking group in exfiltrating private data and introducing a backdoor to the server’s active directory.
As a precaution to protect your systems against similar attacks, Roger Halbheer, the chief security adviser of Microsoft, proposes that the best form of protection is getting off AD FS. The FoggyWeb backdoor can only be loaded onto the same application as the AD FS using a similarly managed code. This gives the threat attackers such access that is not only programmatical but also makes them appear legitimate classes within the AD FS. They would also be able to use similar privileges as the admin in facilitating their malicious operations.