Security News > 2022 > August > Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers
The threat actor behind the SolarWinds supply chain attack has been linked to yet another "Highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments.
"Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations, intergovernmental organizations, and think tanks across the US, Europe, and Central Asia," Microsoft said.
MagicWeb, which shares similarities with another tool called FoggyWeb, is assessed to have been deployed to maintain access and preempt eviction during remediation efforts, but only after obtaining highly privileged access to an environment and moving laterally to an AD FS server.
"Nobelium's ability to deploy MagicWeb hinged on having access to highly privileged credentials that had administrative access to the AD FS servers, giving them the ability to perform whatever malicious activities they wanted to on the systems they had access to," Microsoft said.
The findings come on the heels of the disclosure of an APT29-led campaign aimed at NATO-affiliated organizations with the goal of accessing foreign policy information.
Another newer tactic used by the actor in recent operations is the use of a password guessing attack to obtain the credentials associated with a dormant account and enroll it for multi-factor authentication, granting it access to the organization's VPN infrastructure.
News URL
https://thehackernews.com/2022/08/microsoft-uncovers-new-post-compromise.html
Related news
- Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications (source)
- Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites (source)
- Russian Hackers May Have Targeted Ukrainian Telecoms with Upgraded 'AcidPour' Malware (source)
- Russian hackers target German political parties with WineLoader malware (source)
- Russian Hackers Use 'WINELOADER' Malware to Target German Political Parties (source)
- CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability (source)
- Hackers Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite (source)
- Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware (source)
- China-linked Hackers Deploy New 'UNAPIMON' Malware for Stealthy Operations (source)
- U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers (source)