NOBELIUM: FoggyWeb backdoor targets Active Directory Federation Services
Written by: Vikram Navali, Senior Technical Product Manager – Microsoft has published an in-depth analysis of a newly detected malware referred to as FoggyWeb. This post-exploitation backdoor can remotely exfiltrate sensitive information from a compromised Active Directory Federation Services (AD FS) server. The research team at Microsoft has observed that NOBELIUM, the actor behind the SUNBURST backdoor, TEARDROP malware, and related components, has used FoggyWeb since April 2021.
According to Microsoft Threat Intelligence Center (MSTIC), NOBELIUM has employed multiple tactics to obtain user credentials and gain administrative access to the ADFS server. In documented attacks, after compromising the ADFS server, the threat actor performed remote operations such as exfiltrating the database configuration, decrypting token-signing and token-decryption certificates, and downloading and executing additional components.
The diagram below illustrates how NOBELIUM threat actors used the FoggyWeb backdoor to compromise the internet-facing AD FS server.
Reference: Microsoft’s FoggyWeb backdoor methodology
How do threat actors compromise crown jewels like AD FS servers?
Credential theft is the most common technique involving stealing a victim’s identity, such as account names, passwords, hashes, tickets, and cloud access keys. The attackers exploit an infected endpoint to extract credentials and locate targeted assets. Attackers perform Active Directory reconnaissance from the infected system to enumerate and compromise privileged credentials and service accounts. They perform lateral movement using the stolen credentials by escalating privileges to compromise crown jewels like the AD FS server. Threat actors can also exfiltrate stolen data and establish backdoors for subsequent attacks.
Threat actors steal credentials for multiple reasons – to sell them on the dark web, access computer systems, and maintain persistence. They search for credentials stored in several places on a victim’s endpoint. There are also specific applications that store login passwords to make it easier for users to manage and maintain. Attackers can leverage open-source credential dumping tools, such as Mimikatz and LaZagne, to obtain credentials from databases, memory, web browsers.
Attackers search for credentials from common password storage locations and steal them for performing privilege escalation.
- File System on disk.
- These will be persistent across reboots.
- They can be clear text or encrypted
- Some applications store credentials in databases which eventually get stored as files
- Windows Registry
- OS and Applications save user and system-specific data in the Windows Registry
- Applications save credentials in the Windows Registry
- The Operating System or 3rd Party Applications can provide Vaults for credential storage
- Examples: Windows Credential Manager Vault, KeePass
- Credentials get loaded into memory as clear-text passwords or hashes.
- Generated Tokens (Kerberos) after authentication also are saved in memory
- These are not persisted in the File System and will clear from memory after a reboot. Some will expire after a certain period.
Although Microsoft has notified all customers on FoggyWeb malware activity, organizations must detect and prevent credential theft early in the attack chain. Attivo Networks has announced its revolutionary way of protecting credentials from theft and misuse.
As part of its Endpoint Detection Net (EDN) suite, the ThreatStrike® solution allows organizations to hide real credentials from attacker tools and bind them to their applications. Additionally, the solution deploys decoy artifacts as deceptive credentials, accounts, files, etc. Attackers stealing decoy artifacts from an endpoint can also take these deceptive accounts and get redirected to decoys for engagement, further impacting their intended operations.
The Attivo Networks ADSecure also offers detection opportunities to defenders. The solution provides real-time alerting on attackers enumerating AD FS. The ADSecure solution detects and prevents the use of AD enumeration tools and PowerShell cmdlets. The figure below shows the console event triggered during AD FS PowerShell cmdlets usage.
As a mitigation strategy, organizations should review their AD FS Server configuration and implement best practices and recommendations for hardening and securing their AD FS deployment.
According to Verizon’s 2021 Data Breach Investigation Report, credentials remain among the most sought-after data types by attackers (60%). The stolen credentials provide the opportunity to create more accounts and compromise the organization. Protecting credentials is extremely important for securing an organization’s infrastructure and safeguarding its crown jewels.
For more information, please visit https://attivonetworks.com/product/endpoint-detection-net/.
- FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
- GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
Register for our upcoming webinar, “Chris Krebs: What’s Buried in Every Breach Report that No One is Talking About” with Christopher Krebs, Former Director of the U.S. Cybersecurity Infrastructure Security Agency (CISA) and Co-Founder of Krebs Stamos Group, Tony Cole, Chief Technology Officer of Attivo Networks for a lively “lay it on the line” fireside chat and Q&A on November 3 at 9:00 a.m. PDT.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise