Microsoft has discovered a new post-exploitation backdoor attributed to the SolarWinds attackers, designed to help them gain admin-level access to active directory federation services (AD FS) servers.
Dubbed “FoggyWeb,” the malware has been in use since around April 2021, allowing the Russian-linked APT group known as Nobelium (aka APT29) to steal info from compromised servers and receive and execute additional malicious code.
AD FS are on-premises servers that support single sign-on (SSO) for cloud applications used in Microsoft environments. They, therefore, represent an attractive target for data thieves on the hunt for sensitive information.
“Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools,” explained Ramin Nafisi, senior software security engineer at Microsoft.
“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”
Microsoft has informed all customers currently being targeted by the malware, but it urged others who suspect they may be a victim to audit their entire on-premises and cloud infrastructure, to look for changes the threat actors may have made to maintain persistence.
It also recommended organizations remove user and app access and issue new, strong credentials. They should also use a hardware security module (HSM) to prevent the exfiltration of sensitive info by FoggyWeb, said Nafisi.
He listed multiple suggested techniques to harden and secure AD FS deployments, including restricting admin rights, deploying multi-factor authentication (MFA), removing unnecessary protocols and Windows features, sending AD FS logs to a SIEM, and using complex passwords with over 25 characters.
Since its discovery, the threat actors behind the infamous SolarWinds campaign, which compromised multiple US government departments, have been building out their toolset.
Following the Sunburst backdoor and Teardrop malware used in the attacks, they developed GoldMax, GoldFinder and Sibot malware for layered persistence and EnvyScout, BoomBox, NativeZone and VaporRage for early-stage infections.