Microsoft warning: This malware creates a 'persistent' backdoor for hackers

This custom backdoor lets attackers remotely steal tokens and certificates from Microsoft's identity platform.
Written by Liam Tung, Contributing Writer

Microsoft has uncovered another piece of malware used by the attackers who were behind the SolarWinds software supply chain attack discovered in December.   

Security researchers have discovered numerous modules used by the attack group, which Microsoft calls Nobelium. The US and UK in April officially blamed the attack on the hacking unit of the Russian Foreign Intelligence Service (SVR), which are also known as APT29, Cozy Bear, and The Dukes.  

Microsoft in March uncovered the GoldMax, GoldFinder, and Sibot components from Nobelium, building on other malware from the group including Sunburst/Solarigate, Teardrop and Sunspot.  

SEE: Four months on from a sophisticated cyberattack, Alaska's health department is still recovering

The newly discovered malware, called FoggyWeb by Microsoft, is a backdoor used by the attackers after a targeted server has already been compromised. 

In this case, the group uses several tactics to steal network usernames and passwords to gain admin-level access to Active Directory Federation Services (AD FS) servers, which gives them access to identity and access management infrastructure for controlling user access to apps and resources. This allows the attackers to stay inside a network even after a clean up. FoggyWeb has been used in the wild since as early as April 2021, according to Microsoft.  

"Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components," explains Ramin Nafisi of the Microsoft Threat Intelligence Center

"FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server," Nafisi adds. 

The backdoor allows abuse of the Security Assertion Markup Language (SAML) token, which is used to help users authenticate to applications more easily.

SEE: Don't want to get hacked? Then avoid these three 'exceptionally dangerous' cybersecurity mistakes

Microsoft recommends potentially affected customers take three key steps: auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, review configurations, and re-issue new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers. 

Microsoft in May uncovered more Noeblium infection tools, including EnvyScout, BoomBox, NativeZone, and VaporRage, as well as a spear-phishing campaign that piggy-backed on a legitimate US email-marketing service.

Editorial standards