• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • Latest News
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft Warns Of New AD FS Compromise By Sunburst Hackers

Same threat actor behind the SolarWinds Orion compromise uses new malware to create a backdoor and maintain persistence on a victim's system.

September 28, 2021 Zachary Comeau Leave a Comment

Threat Detection Trends

Microsoft says it has discovered another piece of malware used by the alleged Russia-based hacking group responsible for the SolarWinds Orion compromise that creates a post-exploitation backdoor and is used to maintain persistence in a victim’s environment.

In a blog post, the Microsoft Threat Intelligence Center called this malware FoggyWeb and says it is used to remotely exfiltrate the configuration database of Active Directory Federation Services (AD FS), decrypted token-singing certificate and token-decryption certificate. The malware is also used to download and execute other components.

Microsoft says it has observed FoggyWeb being used in the wild as early as April 2021, four months after the threat group it calls Nobelium was discovered leveraging the SolarWinds Orion platform to spy on U.S. agencies and infiltrate the IT supply chain elsewhere.

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server,” said Ramin Nafisi,

Organizations that think they have been targeted or compromised by this activity are urged to audit their on-premises and cloud infrastructure, going so far as to investigate per-user and per-app settings, forwarding rules and other changes that may have been made to help Nobelium maintain access.

Organizations are also urged to remove user and app access and review configurations for each, reissue strong credentials and use a hardware security module to prevent the exfiltration of data by the malware.

In addition to remote exfiltration capabilities, FoggyWeb can also receive additional malicious components from a command-and-control sever and executive them on the compromised server, Nafisi writes.

Read Next: SolarWinds Hackers Used A Microsoft Support Agent’s Tools In New Attacks, Microsoft Says

After compromising an AD FS server, Nobelium drops tow files onto the system via administrative privileges into these folders:

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

FoggyWeb is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll can be described as its loader. The AD FS service executable Microsoft.IdentityServer.ServiceHost.exe loads the said DLL file via the DLL search order hijacking technique that involves the core Common Language Runtime (CLR) DLL files (described in detail in the FoggyWeb loader section). This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.

After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed. This grants the backdoor access to the AD FS codebase and resources, including the AD FS configuration database (as it inherits the AD FS service account permissions required to access the configuration database).

When loaded, the malware functions as a “passive and persistent” backdoor that allows bad actors to abuse the Security Assertion Markup Language (SAML) token.

Nafisi says the backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the victim’s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.

Nafisi also gave details on how the malware blends into the victim’s environment and gives hackers elevated permissions for further activities.  He writes that FoggyWeb runs in the context of the main AD FS process, so it inherits the AD FS service account permissions required to access the AD FS configuration database. The malware is loaded into the same application domain as the AD FS managed code, so it gains programmatical access to legitimate AD FS classes, methods, properties, fields, objects and components that are leveraged to facilitate other malicious activities.

For example, this allows FoggyWeb to gain access to the AD FS configuration data without connecting to the WID named pipe or manually running SQL queries to retrieve configuration information (for example, to obtain the EncryptedPfx blob from the configuration data). FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS.

Mitigations include ensuring only AD admins and AD FS admins have admin rights to the system, reducing local admin group membership on all AD FS severs, requiring cloud admins to use multi-factor authentication, ensure minimal admin capability via agents, limit on-network access via host firewall, ensure AD FS admins use admin workstations to protect credentials and more.

According to Nafisi, Microsoft’s security tools like Azure Sentinel and Microsoft 365 Defender detect and protect against this malware. Further mitigations, Indicators of compromise and threat hunting guidance using those tools is included in the blog post.

Read Microsoft’s blog for more information. 

Tagged With: Microsoft, Nobelium, SolarWinds

Related Content:

  • Google Password Manager Google Updates Password Manager For Unified Experience
  • VMware vSphere+ vSAN+ VMware Releases vSphere+ and vSAN+ to Enhance On…
  • Microsoft Cybersecurity Architect Expert Microsoft Adds New Expert-level Cybersecurity Architect Certification
  • Microsoft Basic Auth Prepare: Microsoft Begins Disabling Basic Auth in Exchange…

Free downloadable guide you may like:

  • Uber Advanced Technologies Group Drives its Business Forward

    The guiding principle for the new Uber meeting room redesign was “invisible comfort” to ensure that everyone could maximize productivity.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Uber Advanced Technologies Group Drives its Business Forward

The guiding principle for the new Uber meeting room redesign was “invisible comfort” to ensure that everyone could maximize productivity.

Windows 11
Blueprint Series: Upgrading to Windows 11

Upgrading end users to Windows 11 could be one of the most challenging tasks IT has to face in the coming years. Although the new version is touted...

The State of the IT Department in 2022

The role of the IT professional has shifted from one that supports the business to one that is deserving of a seat at the table when it comes to ma...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2022 Emerald X, LLC. All rights reserved.