Microsoft says it has discovered another piece of malware used by the alleged Russia-based hacking group responsible for the SolarWinds Orion compromise that creates a post-exploitation backdoor and is used to maintain persistence in a victim’s environment.
In a blog post, the Microsoft Threat Intelligence Center called this malware FoggyWeb and says it is used to remotely exfiltrate the configuration database of Active Directory Federation Services (AD FS), decrypted token-singing certificate and token-decryption certificate. The malware is also used to download and execute other components.
Microsoft says it has observed FoggyWeb being used in the wild as early as April 2021, four months after the threat group it calls Nobelium was discovered leveraging the SolarWinds Orion platform to spy on U.S. agencies and infiltrate the IT supply chain elsewhere.
“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server,” said Ramin Nafisi,
Organizations that think they have been targeted or compromised by this activity are urged to audit their on-premises and cloud infrastructure, going so far as to investigate per-user and per-app settings, forwarding rules and other changes that may have been made to help Nobelium maintain access.
Organizations are also urged to remove user and app access and review configurations for each, reissue strong credentials and use a hardware security module to prevent the exfiltration of data by the malware.
In addition to remote exfiltration capabilities, FoggyWeb can also receive additional malicious components from a command-and-control sever and executive them on the compromised server, Nafisi writes.
After compromising an AD FS server, Nobelium drops tow files onto the system via administrative privileges into these folders:
FoggyWeb is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll can be described as its loader. The AD FS service executable Microsoft.IdentityServer.ServiceHost.exe loads the said DLL file via the DLL search order hijacking technique that involves the core Common Language Runtime (CLR) DLL files (described in detail in the FoggyWeb loader section). This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.
After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed. This grants the backdoor access to the AD FS codebase and resources, including the AD FS configuration database (as it inherits the AD FS service account permissions required to access the configuration database).
When loaded, the malware functions as a “passive and persistent” backdoor that allows bad actors to abuse the Security Assertion Markup Language (SAML) token.
Nafisi says the backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the victim’s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.
Nafisi also gave details on how the malware blends into the victim’s environment and gives hackers elevated permissions for further activities. He writes that FoggyWeb runs in the context of the main AD FS process, so it inherits the AD FS service account permissions required to access the AD FS configuration database. The malware is loaded into the same application domain as the AD FS managed code, so it gains programmatical access to legitimate AD FS classes, methods, properties, fields, objects and components that are leveraged to facilitate other malicious activities.
For example, this allows FoggyWeb to gain access to the AD FS configuration data without connecting to the WID named pipe or manually running SQL queries to retrieve configuration information (for example, to obtain the EncryptedPfx blob from the configuration data). FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS.
Mitigations include ensuring only AD admins and AD FS admins have admin rights to the system, reducing local admin group membership on all AD FS severs, requiring cloud admins to use multi-factor authentication, ensure minimal admin capability via agents, limit on-network access via host firewall, ensure AD FS admins use admin workstations to protect credentials and more.
According to Nafisi, Microsoft’s security tools like Azure Sentinel and Microsoft 365 Defender detect and protect against this malware. Further mitigations, Indicators of compromise and threat hunting guidance using those tools is included in the blog post.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!