Efficient MagicWeb Malware Subverts AD FS Authentication, Microsoft Warns

  /     /     /  
Publicated : 23/11/2024   Category : security


Efficient MagicWeb Malware Subverts AD FS Authentication, Microsoft Warns


The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user.



The attackers responsible for the SolarWinds supply chain attack have added a new arrow to their quiver of misery: A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.
Researchers at Microsoft observed the Russia-backed Nobelium APT using the backdoor after gaining administrative privileges to an Active Directory Federated Services (AD FS) server. With that privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate.
Like domain controllers, AD FS servers can authenticate users. MagicWeb facilitates this on the part of the threat actors by allowing manipulation of the claims passed in authentication tokens generated by an AD FS server; thus, they can authenticate as any user on the network.
According to Microsoft, MagicWeb is a better iteration of the previously used
specialized FoggyWeb tool
, which also establishes a difficult-to-shake foothold inside victim networks.
MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly, Microsoft researchers explained. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like
Golden SAML
.
For now, MagicWeb use appears to be highly targeted, according to
Microsofts advisory
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Efficient MagicWeb Malware Subverts AD FS Authentication, Microsoft Warns