A Custom Malware Is Used by Nobelium APT to Backdoor Windows Domains
The New Malware Was Discovered by the Researchers at Microsoft.
The Nobelium hacking group is using a new malware to deploy additional payloads and steal sensitive info from the Active Directory Federation Services (AD FS) servers.
Cozy Bear is a Cybercriminal organization suspected to be linked to one or more Russian intelligence services. It is classified as an advanced persistent threat APT29 by the US federal government. CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM are some of the nicknames given to the group by different cybersecurity organizations.
The malware that was dubbed by the researchers at Microsoft Threat Intelligence Center (MSTIC) FoggyWeb, is a “passive and highly targeted” backdoor able to abuse the Security Assertion Markup Language (SAML) token.
It’s intended to assist attackers in remotely exfiltrating sensitive data from compromised AD FS servers by installing HTTP listeners for actor-defined URIs to intercept GET/POST requests delivered to the AD FS server matching the custom URI patterns.
NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.
FoggyWeb malware is a persistent backdoor that allows for the abuse of SAML tokens and configures HTTP listeners for actor-defined URIs in order to capture GET/POST requests submitted to the AD FS server that match the custom URI patterns.
It seems that since April 2021, Russian state hackers have been detected utilizing the FoggyWeb backdoor in the wild.
Stay Safe From FoggyWeb
Fortunately, Microsoft already notified the customers that were targeted or compromised using this backdoor.
According to the journalists at BleepingComputer the companies that believe they might’ve been breached or compromised should:
- Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
- Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
- Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.