Microsoft has issued a warning about a hacking group involved in the 2020 SolarWinds supply chain attack. The company said the group has a new strategy to bypass the authentication in most corporate networks. The new technique offers hackers a more specialized mechanism and Microsoft has called it “MagicWeb”. It enables criminals to keep a strong position in a network even though defenders try to expel them.
Meanwhile, Microsoft mentioned criminals as Nobelium to the past attacks of the hacker group. The hackers aren’t applying supply chain attacks to employ MagicWeb, but attempting to abuse admin authorization. The US and UK said Nobelium criminals are from the hacking actors of the SVR (Russian Foreign Intelligence Service). They compromised the software build systems of SolarWinds in 2020.
Moreover, the Nobelium hackers attempted to pull off various high-profile supply chain ambushes. Their assault arbitrated 18 thousand targets including various US agencies and tech firms such as Microsoft. Microsoft and other security companies have discovered various complicated tools used in hacking. These alleged tools include the backdoors of Nobelium and the latest MagicWeb.
MagicWeb can Reach AD FS Enterprise Identity Systems
The MagicWeb is specifically designed to reach enterprise identity systems such as AD FS (Active Directory Federation Server). It was aimed at on-promise AD servers against the cloud-based Azure Active Directory. So, Microsoft has recommended the isolation of AD FS in order to restrict unauthorized access. The tech giant stressed that Nobelium is still a highly active threat.
Microsoft announced in July 2021 the discovery of info-stealer malware from Nobelium on one of its support agent PC. However, hackers then used it to launch attacks on others. It is noteworthy that Nobelium criminals have also pretended USAID in offshoot hacking campaigns. Microsoft highlighted Nobelium attacks on software and cloud service resellers in October 2021.
Nobelium Attacks Abused the Trust Between Customers and Supplier
The Nobelium attacks once again abused the confidence between customer and supplier to feat direct access IT systems of customers. Microsoft discovered a Nobelium tool called FoggyWeb just one month before the cloud and reseller attacks. It was a backdoor to collect information from an AD FS to obtain encryption certificates and token-signing to place malware.
MagicWeb uses similar strategies to target AD FS. But Microsoft said it goes above the collection power of FoggyWeb by fostering secret access directly. However, MaticWeb is a malicious DLL to enable the manipulation of claims passed in generated tokens from an AD FS server. It can manipulate the user authentication certificates used for verification.
Golden SAML Uses x509 Certificates in Attacks
Microsoft said the hackers used signing certificates in attacks such as Golden SAML (Security Assertion Markup Language). SAML used x509 certificates to build trust relationships between services and identity providers to sign and decode tokens. The criminals obtained access to more powerful credentials before deploying MagicWeb. It then moved on to the network to access admin rights on an AD FS system.
The tech giant said it isn’t a supply chain attack. The hackers obtained admin access to the AD FS servers and changed a lawful DLL with their malicious DLL. It enabled malware to load with the AD FS system rather than approved binary. Microsoft recommends users keep AD FS infrastructure isolated or migrate to Azure Active Directory. The company also explained how MagicWeb receives its authorization bypass.