Another piece of malware used by the attackers who carried out the SolarWinds software supply chain attack in December has been identified by Microsoft.
Researchers have discovered a number of modules utilized by the attack group, which Microsoft refers to as Nobelium. The US and United Kingdom officially charged the Russian Foreign Intelligence Service (SVR) hacking unit, also known as APT29, Cozy Bear, and The Dukes, with responsibility for the attack in April.
FoggyWeb can create a permanent backdoor for intruders
This malware called FoggyWeb creates a backdoor that the intruders employ after gaining access to a targeted server.
In this scenario, the crew employs a range of measures to steal Active Directory Federation Services (AD FS) server usernames and passwords in order to gain admin-level access. By overwriting the master boot record, an attacker can remain inside a network after a cleanup. Since April 2021, FoggyWeb has been observed in the wild, according to Microsoft.
Microsoft warns users of the malware and gives some recommendations
Ramin Nafisi from the Microsoft Threat Intelligence Center says: “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”
“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” he adds.
This backdoor allows an attacker to exploit the Security Assertion Markup Language (SAML) token, which is utilized to make it easier for users to log into applications.
Microsoft advises potentially affected consumers to follow these three key actions: audit on-premises and cloud infrastructure for configurations, and per-user and per-application settings; remove user and app access, examine configurations, and reissue new strong credentials; and employ a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.