Security News > 2022 > August > Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows
Microsoft has discovered a new malware used by the Russian hacker group APT29 that enables authentication as anyone in a compromised network.
Dubbed 'MagicWeb', the new malicious tool is an evolution of 'FoggyWeb', which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control server.
The MagicWeb' tool replaces a legitimate DLL used by ADFS with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server.
Because ADFS servers facilitate user authentication, MagicWeb can help APT29 validate authentication for any user account on that server, giving them persistence and an abundance of pivoting opportunities.
MagicWeb requires APT29 to first gain admin access to the target ADFS server and replace the said DLL with their version, but Microsoft reports that this has already happened in at least one case its Detection and Response Team team was called to investigate.
BeginEndpointConfiguration() - Allow WAP to pass the request with the specific malicious certificate to ADFS for further authentication processing.
News URL
Related news
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft says attackers use exposed ASP.NET keys to deploy malware (source)
- Microsoft has finally fixed Date & Time bug in Windows 11 (source)
- Microsoft shares workaround for Windows security update issues (source)
- Russian military hackers deploy malicious Windows activators in Ukraine (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish (source)