Go to listing page

Microsoft Takes the Wraps off Sophisticated Tactics by Nobelium

Microsoft Takes the Wraps off Sophisticated Tactics by Nobelium
Microsoft researchers recently provided deep insights into the Russia-linked Nobelium group’s threat ecosystem. The group, popularly known for the supply chain attack on SolarWinds, used a malicious tool MagicWeb for a sophisticated authentication bypass for Active Directory Federated Services (AD FS). The below findings reveal how they did it.

Diving into details 

Nobelium used MagicWeb, an evolution of FoggyWeb, to implant a backdoor on the unnamed customer's AD FS server.
  • Nobelium accessed a vulnerable application through Azure AD App Proxy and move laterally to the AD FS servers using an AD privilege escalation vulnerability.
  • It used a backdoor DLL with added .NET classes and static constructors and loaded it in the Global Assembly Cache (GAC), an obscure piece of .NET infrastructure.
  • The loading into the AD FS process was made possible by editing a configuration file to specify a different public token.
  • Further, the group utilized specially crafted highly privileged certifications to bypass the normal authentication process and move laterally through the network.

Discovery of MagicWeb

Microsoft first spotted MagicWeb in August 2022, when a Microsoft customer fell victim to a post-compromise capability of MagicWeb.
  • Nobelium was using the tool to maintain persistent access to the customer environment it had compromised.
  • Microsoft Detection and Response Team (DART) performed various data-wrangling actions followed by in-depth data analysis to understand strange authentication requests.
  • They found that the tool is capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing/decryption certificates, and obtaining additional payloads from its C2 server.

Conclusion

Nobelium utilized MagicWeb for post-compromise capability and maintaining persistent access to compromised environments. The group remains highly active with these tools, conducting multiple cyberattacks in parallel targeting government organizations, NGOs, IGOs, and think tanks across the U.S., Europe, and Central Asia. Organizations are suggested to prioritize the safety and security of AD FS systems and all identity providers.
Cyware Publisher

Publisher

Cyware