"SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor"

Researchers have found that the threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims’ networks.  Researchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD FS enables single sign-on (SSO) across cloud-based apps in a Microsoft environment by sharing digital identity and entitlements rights.  The researchers stated that the attacks started as far back as April.  The researchers noted that Nobelium is employing “multiple tactics to pursue credential theft” to gain admin privileges to AD FS servers.  Once a server is compromised, the threat group deploys FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificates, and token-decryption certificates, which can be used to penetrate into users’ cloud accounts.  The researchers also noted that in addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a command-and-control (C2) server to receive additional malicious components and execute them.

Threatpost reports: "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor"