Security News > 2022 > August > Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows

Microsoft has discovered a new malware used by the Russian hacker group APT29 that enables authentication as anyone in a compromised network.

Dubbed 'MagicWeb', the new malicious tool is an evolution of 'FoggyWeb', which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control server.

The MagicWeb' tool replaces a legitimate DLL used by ADFS with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server.

Because ADFS servers facilitate user authentication, MagicWeb can help APT29 validate authentication for any user account on that server, giving them persistence and an abundance of pivoting opportunities.

MagicWeb requires APT29 to first gain admin access to the target ADFS server and replace the said DLL with their version, but Microsoft reports that this has already happened in at least one case its Detection and Response Team team was called to investigate.

BeginEndpointConfiguration() - Allow WAP to pass the request with the specific malicious certificate to ADFS for further authentication processing.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/