Microsoft has warned that the hacking group behind the 2020 SolarWinds supply chain attack have a new technique for bypassing authentication in corporate networks.
The trick, a highly specialized capability Microsoft calls "MagicWeb", allows the actors to keep a firm position in a network even as defenders attempt to eject them. However, unlike past attacks by the group, which Microsoft tracks as Nobelium, they are not employing supply chain attacks to deploy MagicWeb, but rather are abusing admin credentials.
The US and UK say Nobelium actors are from the hacking unit of the Russian Foreign Intelligence Service (SVR). Nobelium actors have pulled off several high-profile supply chain attacks since compromising the software build systems of SolarWinds in late 2020. That attack targeted roughly 18,000 customers, including Microsoft. A select number of clients -- thought to be around 100 US customers, including top tech firms and US government agencies -- were then breached.
SEE: Hackers are finding ways around multi-factor authentication. Here's what to watch for
Since then, Microsoft and other security firms have identified multiple sophisticated tools, such as backdoors, used by Nobelium – and MagicWeb is the latest. MagicWeb targets enterprise identity systems, namely Active Directory Federation Server (AD FS), which means on-premise AD servers versus cloud-based Azure Active Directory. As a result, Microsoft recommends isolating AD FS and restricting access to it.
Microsoft emphasizes that Nobelium remains "highly active". Last July, Microsoft revealed it had found info-stealer malware from Nobelium on the PC of one of its support agents, which was then used to launch attacks on others. Nobelium actors have also impersonated USAID in spear-phishing campaigns.
In October, Microsoft spotlighted Nobelium attacks on software and cloud service resellers, once again abusing the trust between supplier and customer to exploit direct access to customers' IT systems.
A month prior to the cloud/reseller attacks, it exposed a Nobelium tool called FoggyWeb, a post-compromise backdoor that collected details from an AD FS to gain token-signing and token-encryption certificates, and to deploy malware.
MagicWeb employs similar methods by targeting AD FS, but Microsoft says it "goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly."
"MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML."
SAML refers to Security Assertion Markup Language, which uses x509 certificates to establish trust relationships between identity providers and services and to sign and decrypt tokens, Microsoft explains.
Prior to deploying MagicWeb, the actors gained access to highly privileged credentials and then moved laterally on the network to gain admin rights on an AF FS system.
"This is not a supply chain attack," Microsoft stressed. "The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary."
The Redmond company's security teams – Microsoft's MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) – found MagicWeb on a customer's systems. It assesses MagicWeb is used in "highly targeted" attacks.
SEE: Ransomware: Most attacks exploit these common cybersecurity mistakes - so fix them now, warns Microsoft
Microsoft is recommending customers keep AD FS infrastructure isolated and accessible only by the dedicated admin accounts, or to migrate to Azure Active Directory.
Microsoft offers a detailed explanation of how MagicWeb achieves its authentication bypass. The explanation hinges on understanding how AD FS "claims-based authentication" works. Instead of single sign-on for one organization, AD FS can use "claims" (tokens) to let external parties – customers, partners, and suppliers – authenticate with single sign-on.
"MagicWeb injects itself into the claims process to perform malicious actions outside the normal roles of an AD FS server," explains Microsoft.
MagicWeb also abuses the SAML x509 certificates that "contain enhanced key usage (EKU) values that specify what applications the certificate should be used for." EKUs feature Object Identifier (OID) values to support, for example, SmartCard logon. Organizations can also create custom OIDs to narrow certificate usage.
"MagicWeb's authentication bypass comes from passing a non-standard Enhanced Key Usage OID that is hardcoded in the MagicWeb malware during an authentication request for a specified User Principal Name," Microsoft explains.
"When this unique hard-coded OID value is encountered, MagicWeb will cause the authentication request to bypass all standard AD FS processes (including checks for MFA) and validate the user's claims. MagicWeb is manipulating the user authentication certificates used in SAML sign-ins, not the signing certificates for a SAML claim used in attacks like Golden SAML."
Defenders working at organizations likely to be targeted should review Microsoft's blog post for advice on how to harden networks and protect identity and authentication infrastructure.