Security News > 2022 > August > Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows
Microsoft has discovered a new malware used by the Russian hacker group APT29 that enables authentication as anyone in a compromised network.
Dubbed 'MagicWeb', the new malicious tool is an evolution of 'FoggyWeb', which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control server.
The MagicWeb' tool replaces a legitimate DLL used by ADFS with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server.
Because ADFS servers facilitate user authentication, MagicWeb can help APT29 validate authentication for any user account on that server, giving them persistence and an abundance of pivoting opportunities.
MagicWeb requires APT29 to first gain admin access to the target ADFS server and replace the said DLL with their version, but Microsoft reports that this has already happened in at least one case its Detection and Response Team team was called to investigate.
BeginEndpointConfiguration() - Allow WAP to pass the request with the specific malicious certificate to ADFS for further authentication processing.
News URL
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft rolls back decision to stop Windows 11 22H2 preview updates (source)
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- Microsoft: Windows 11 “invites” coming to more Windows 10 Pro PCs (source)
- Microsoft is killing off the Android apps in Windows 11 feature (source)
- Microsoft says Russian hackers breached its systems, accessed source code (source)
- Microsoft confirms Russian spies stole source code, accessed internal systems (source)
- Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets (source)
- Microsoft: Russian hackers accessed internal systems, code repositories (source)
- Microsoft says Windows 10 21H2 support is ending in June (source)