FoggyWeb: SolarWinds Hackers Access Microsoft AD Servers

Background

The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM. Nobelium, which operates from Russia, is the name given to the threat actor behind the attacks against SolarWinds, Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, Flipflop, NativeZone, EnvyScout, BoomBox, and VaporRage.

 

Threat Overview:

Nobelium specifically targets AD FS servers and uses a variety of tactics to steal admin credentials for those servers and then install malware and backdoors. NOBELIUM has developed a backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. This post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb.

FoggyWeb is a passive and highly targeted backdoor which can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.

After compromising an AD FS server, NOBELIUM was observed dropping the following two files on the system (administrative privileges are required to write these files to the  folders listed below):

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

 

How FoggyWeb targets AD FS ?

  • FoggyWeb is stored in the encrypted file Data.TimeZones.zh-PH.pri, while the malicious file version.dllcan be described as its loader.
  • The AD FS service executable IdentityServer.ServiceHost.exeloads the said DLL file via the ‘DLL search order hijacking technique’ that involves the core Common Language Runtime (CLR) DLL files.
  • This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.
  • The loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed.
  • This grants the backdoor access to the AD FS codebase and resources, including the AD FS configuration database (as it inherits the AD FS service account permissions required to access the configuration database).

  • When loaded, the FoggyWeb backdoor functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token.
  • The backdoor configures HTTP listeners which passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.

  FoggyWeb configures listeners for the following hardcoded URI patterns:

1) HTTP GET URI pattern:

– /adfs/portal/images/theme/light01/profile.webp

– /adfs/portal/images/theme/light01/background.webp

– /adfs/portal/images/theme/light01/logo.webp

2) HTTP POST URI pattern:

                      – /adfs/services/trust/2005/samlmixed/upload

  • The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.

  • FoggyWeb inherits the AD FS service account permissions required to access the AD FS configuration database as it runs in the context of the main AD FS process.
  • FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations.

For more technical details kindly refer Microsoft blog

 

Detections

Protecting AD FS servers is key to mitigating NOBELIUM attacks. Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known NOBELIUM attack chains. Microsoft Defender Antivirus detects the new NOBELIUM components as the following malware:

  • Loader: Trojan:Win32/FoggyWeb.A!dha
  • Backdoor: Trojan:MSIL/FoggyWeb.A!dha

 

Indicators of compromise (IOCs)

 

Type Threat Name Threat Type Indicator
MD5 FoggyWeb Loader 5d5a1b4fafaf0451151d552d8eeb73ec
SHA-1 FoggyWeb Loader c896ece073dd01191cbc1d462bc2f47161828a83
SHA-256 FoggyWeb Loader 231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1
MD5 FoggyWeb Backdoor (encrypted) 9ff9401315d0f7258a9fcde0cfdef02b
SHA-1 FoggyWeb Backdoor (encrypted) 4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-256 FoggyWeb Backdoor (encrypted) da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
MD5 FoggyWeb Backdoor (decrypted) e9671d294ce41fe6dbb9637dc0157a88
SHA-1 FoggyWeb Backdoor (decrypted) 85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256 FoggyWeb Backdoor (decrypted) 568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6

 

Mitigations

Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks:

We strongly recommend for organizations to harden and secure AD FS deployments through the following best practices:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators’ group membership on all AD FS servers.
  • Require all cloud admins to use multi-factor authentication (MFA).
  • Ensure minimal administration capability via agents.
  • Limit on-network access via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
  • Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
  • Remove unnecessary protocols and Windows features.
  • Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).
  • When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.

Microsoft has notified all customers observed being targeted or compromised by this activity. If you believe your organization has been compromised, we recommend that you

  • Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
  • Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
  • Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

You can depend on Cybernetic Global Intelligence for all your technology and security requirements. We provide technology solutions that eliminate risks while reducing costs. So don’t leave your business or organization vulnerable anymore. Contact us today and boost your company’s security and success.

We are a leading Aussie cybersecurity firm with years of experience in providing outstanding cybersecurity services. You can call 1300 292 376 or email contact@cybernetic-gi.com for assistance.

Post a Comment