Background
The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM. Nobelium, which operates from Russia, is the name given to the threat actor behind the attacks against SolarWinds, Sunburst, Sunspot, Raindrop, Teardrop, GoldMax, GoldFinder, Sibot, Flipflop, NativeZone, EnvyScout, BoomBox, and VaporRage.
Threat Overview:
Nobelium specifically targets AD FS servers and uses a variety of tactics to steal admin credentials for those servers and then install malware and backdoors. NOBELIUM has developed a backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. This post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb.
FoggyWeb is a passive and highly targeted backdoor which can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.
After compromising an AD FS server, NOBELIUM was observed dropping the following two files on the system (administrative privileges are required to write these files to the folders listed below):
- %WinDir%\ADFS\version.dll
- %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri
How FoggyWeb targets AD FS ?
- FoggyWeb is stored in the encrypted file Data.TimeZones.zh-PH.pri, while the malicious file version.dllcan be described as its loader.
- The AD FS service executable IdentityServer.ServiceHost.exeloads the said DLL file via the ‘DLL search order hijacking technique’ that involves the core Common Language Runtime (CLR) DLL files.
- This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.
- The loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed.
- This grants the backdoor access to the AD FS codebase and resources, including the AD FS configuration database (as it inherits the AD FS service account permissions required to access the configuration database).
- When loaded, the FoggyWeb backdoor functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token.
- The backdoor configures HTTP listeners which passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.
FoggyWeb configures listeners for the following hardcoded URI patterns:
1) HTTP GET URI pattern:
– /adfs/portal/images/theme/light01/profile.webp
– /adfs/portal/images/theme/light01/background.webp
– /adfs/portal/images/theme/light01/logo.webp
2) HTTP POST URI pattern:
– /adfs/services/trust/2005/samlmixed/upload
- The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.
- FoggyWeb inherits the AD FS service account permissions required to access the AD FS configuration database as it runs in the context of the main AD FS process.
- FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations.
For more technical details kindly refer Microsoft blog
Detections
Protecting AD FS servers is key to mitigating NOBELIUM attacks. Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known NOBELIUM attack chains. Microsoft Defender Antivirus detects the new NOBELIUM components as the following malware:
- Loader: Trojan:Win32/FoggyWeb.A!dha
- Backdoor: Trojan:MSIL/FoggyWeb.A!dha
Indicators of compromise (IOCs)
Type | Threat Name | Threat Type | Indicator |
MD5 | FoggyWeb | Loader | 5d5a1b4fafaf0451151d552d8eeb73ec |
SHA-1 | FoggyWeb | Loader | c896ece073dd01191cbc1d462bc2f47161828a83 |
SHA-256 | FoggyWeb | Loader | 231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1 |
MD5 | FoggyWeb | Backdoor (encrypted) | 9ff9401315d0f7258a9fcde0cfdef02b |
SHA-1 | FoggyWeb | Backdoor (encrypted) | 4597431f26424cb814c917168fa8d74d01ab7cd1 |
SHA-256 | FoggyWeb | Backdoor (encrypted) | da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169 |
MD5 | FoggyWeb | Backdoor (decrypted) | e9671d294ce41fe6dbb9637dc0157a88 |
SHA-1 | FoggyWeb | Backdoor (decrypted) | 85cfeccbb48fd9f498d24711c66e458e0a80cc90 |
SHA-256 | FoggyWeb | Backdoor (decrypted) | 568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6 |
Mitigations
Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks:
We strongly recommend for organizations to harden and secure AD FS deployments through the following best practices:
- Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
- Reduce local Administrators’ group membership on all AD FS servers.
- Require all cloud admins to use multi-factor authentication (MFA).
- Ensure minimal administration capability via agents.
- Limit on-network access via host firewall.
- Ensure AD FS Admins use Admin Workstations to protect their credentials.
- Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
- Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
- Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
- Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
- Remove unnecessary protocols and Windows features.
- Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
- Update to the latest AD FS version for security and logging improvements (as always, test first).
- When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.
Microsoft has notified all customers observed being targeted or compromised by this activity. If you believe your organization has been compromised, we recommend that you
- Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
- Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
- Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.
You can depend on Cybernetic Global Intelligence for all your technology and security requirements. We provide technology solutions that eliminate risks while reducing costs. So don’t leave your business or organization vulnerable anymore. Contact us today and boost your company’s security and success.
We are a leading Aussie cybersecurity firm with years of experience in providing outstanding cybersecurity services. You can call 1300 292 376 or email contact@cybernetic-gi.com for assistance.