Cybersecurity researchers from Microsoft Threat Intelligence Center (MSTIC) have discovered a new, post-compromise capability allowing a threat actor to maintain persistent access to compromised environments.
Dubbed ‘MagicWeb’ by the tech giant, the capability has been attributed to Nobelium, a group commonly associated with the SolarWinds and USAID attacks.
“Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, NGOs, intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia,” MSTIC wrote in a blog post.
“[We assess] that MagicWeb was likely deployed during an ongoing compromise and was leveraged by Nobelium possibly to maintain access during strategic remediation steps that could preempt eviction.”
According to the MSTIC, Nobelium has in the past employed specialized capabilities like MagicWeb to maintain persistence, such as FoggyWeb, which Microsoft discovered in September 2021.
FoggyWeb was already capable of exfiltrating the configuration database of compromised Active Directory Federated Services (AD FS) servers, as well as decrypting token-signing and token-decryption certificates, and downloading and executing additional malware components.
MagicWeb is now improving on FoggyWeb’s capabilities by facilitating covert access directly via a malicious Dynamic-link library (DLL) that allows manipulation of the claims passed in tokens generated by an AD FS server.
“It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML,” Microsoft explained.
According to the cybersecurity experts, Nobelium first gained access to highly privileged credentials and moved laterally to gain administrative privileges to an AD FS system and deploy MagicWeb.
“Customers can defend against MagicWeb and other backdoors by implementing a holistic security strategy including the AD FS hardening guidance,” MSTIC warned. “In the case of this specific discovery, MagicWeb is one step of a much larger intrusion chain that presents unique detection and prevention scenarios.”
More generally, Microsoft said that with critical infrastructure such as AD FS, it is important to ensure attackers do not gain administrative access, as once that happens, threat actors have several options for further system compromise, activity obfuscation, and persistence.
“We recommend that any such infrastructure is isolated, accessible only by dedicated admin accounts, and regularly monitored for any changes.”