Security News > 2021 > September > SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor

Researchers from the Microsoft Threat Intelligence Center have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services servers.

Once a server is compromised, the threat group deploys FoggyWeb "To remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificates and token-decryption certificates," he said, which can be used to penetrate into users' cloud accounts.

In addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a a command-and-control server to receive additional malicious components and execute them, Nafisi added.

Nafisi provides a thorough breakdown of the sophisticated FoggyWeb backdoor, which operates by allowing abuse of the Security Assertion Markup Language token in AD FS, he explained in the post.

"Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations," he added.

Since the SolarWinds incident, researchers have observed Nobelium steadily building out its arsenal beyond the Sunburst/Solorigate backdoor and Teardrop malware it initially deployed in that attack, which affected tens of thousands of organizations around the globe.

News URL

https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/