Security News > 2022 > August > Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows
Microsoft has discovered a new malware used by the Russian hacker group APT29 that enables authentication as anyone in a compromised network.
Dubbed 'MagicWeb', the new malicious tool is an evolution of 'FoggyWeb', which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control server.
The MagicWeb' tool replaces a legitimate DLL used by ADFS with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server.
Because ADFS servers facilitate user authentication, MagicWeb can help APT29 validate authentication for any user account on that server, giving them persistence and an abundance of pivoting opportunities.
MagicWeb requires APT29 to first gain admin access to the target ADFS server and replace the said DLL with their version, but Microsoft reports that this has already happened in at least one case its Detection and Response Team team was called to investigate.
BeginEndpointConfiguration() - Allow WAP to pass the request with the specific malicious certificate to ADFS for further authentication processing.
News URL
Related news
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Russian charged by U.S. for creating RedLine infostealer malware (source)
- Uncle Sam outs a Russian accused of developing Redline infostealing malware (source)
- Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware (source)
- Microsoft fixes Windows 10 bug causing apps to stop working (source)
- Microsoft wants $30 if you want to delay Windows 11 switch (source)
- Microsoft delays Windows Recall again, now by December (source)