Russia-Linked Nobelium Deploying New 'FoggyWeb' MalwareMicrosoft: Malware Creates Backdoor to Exfiltrate Sensitive ADFS Server Data
Nobelium, the cyberespionage group responsible for the SolarWinds supply chain attack, has developed and deployed a new malware dubbed FoggyWeb, according to a Microsoft Threat Intelligence Center blog.
The Russia-linked threat actor uses FoggyWeb to create a backdoor in the servers of Active Directory Federation Services, or ADFS - a Microsoft software component that offers single sign-on solutions to its users - the blog says. As a component of Windows server operating system, ADFS provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication through Active Directory, according to Teju Shyamsundar, senior product marketing manager at identity and access management company Okta.
Nobelium has been using FoggyWeb in the wild since April 2021 to remotely exfiltrate sensitive information from the ADFS servers, according to Microsoft. Customers affected by the malware - whose identities it did not disclose - have already been notified, the company blog adds.
FoggyWeb is "a passive and highly targeted backdoor" that exfiltrates information from compromised ADFS servers, according to Microsoft. It particularly eyes the configuration databases of those servers, decrypted token-signing certificates, and token-decryption certificates, the security blog notes.
The malware can also receive additional malicious components from a command-and-control, or C2, server and execute them on the compromised server, Microsoft adds.
After gaining administrative privileges on the compromised ADFS server, the threat group drops two files that can only be written with these privileges:
- %WinDir%ADFSversion.dll - the loader file
- WinDir%SystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri - the encrypted FoggyWeb malware file
The ADFS service executable Microsoft[.]IdentityServer[.]ServiceHost[.]exe uses the DLL search order hijacking technique to load the said DLL file, according to Microsoft.
"This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm routine to decrypt the backdoor in memory," the blog notes.
The malware is then loaded into the ADFS application by leveraging Microsoft's virtual machine component CLR's hosting interfaces and APIs in the same application domain. By taking this approach, it inherits the ADFS service account permissions required to access the configuration database, granting backdoor access to the ADFS codebase and resources, including the ADFS configuration database, Microsoft says.
Once installed, the backdoor monitors all incoming HTTP GET and POST requests sent to the ADFS server from the intranet/internet, and intercepts HTTP requests that match the custom URI patterns defined by the actor.
Microsoft's researchers say the most commonly configured listeners they have observed have the following HTTP GET and POST URI patterns:
- /adfs/portal/images/theme/light01/profile.webp - Retrieves the token-signing certificate;
- /adfs/portal/images/theme/light01/background.webp - Retrieves the token decryption certificate;
- /adfs/portal/images/theme/light01/logo.webp - Retrieves the AD FS configuration data of the compromised server;
- /adfs/services/trust/2005/samlmixed/upload - Used to download additional components from the C2 server.
Protecting ADFS servers is key to mitigating Nobelium attacks. Detecting and blocking the malware, the attacker's activity, and other malicious artifacts on ADFS servers can break the attack chain.
Microsoft says it has implemented detection and protection parameters against FoggyWeb based on the indicators of compromise registered so far. It adds that ADFS deployments can also be strengthened by:
- Restricting ADFS administrators' access and rights;
- Reducing group memberships on all ADFS servers;
- Setting logging to the highest level and sending the ADFS and security logs to a SIEM to correlate with Active Directory authentication as well as Azure or other similar active directories;
- Limiting on-network access via host firewall.
Microsoft offers detailed steps to secure ADFS and Web Application Proxy.
Nobelium, also called UNC2542 by FireEye, StellarParticle by CrowdStrike, and Cozy Bear or APT29 by others, has been linked to Russia's Foreign Intelligence Service, or SVR.
In March, researchers at Microsoft and FireEye disclosed that the hacker group had begun to use malware such as GoldMax, GoldFinder, Sibot and Sunshuttle (see: Researchers Disclose More Malware Used in SolarWinds Attack).
In July, Cozy Bear claimed to have gained access to the Republican National Committee through its connection to Synnex Corp., an IT services provider that reported an intrusion attempt against it (see: Republican National Committee Says Systems Weren't Breached).
In August, the attackers compromised at least one email account at 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020, according to the U.S. Department of Justice. These various intrusions at federal prosecutors' offices targeted the Microsoft Office 365 accounts belonging to department employees. The attackers were able to access all email communications as well as message attachments, the Justice Department notes (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).
In September, design software and 3D technology firm Autodesk acknowledged that it had been targeted by Nobelium, according to a financial filing with the U.S. Securities and Exchange Commission (see: Autodesk Says Company Was Targeted by SolarWinds Attackers).