IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

SolarWinds hackers strike again with a new “MagicWeb” authentication exploit

Microsoft warns MagicWeb can abuse admin credentials to hijack AD FS enterprise identity system

A close up of a person in a suit shuffling cards

Microsoft has warned that Nobelium, the hackers behind the infamous SolarWinds fiasco, have uncovered a novel technique to violate corporate authentication.

In stark contrast to past attacks that leveraged supply chain mechanisms, the new bypass, named "MagicWeb" by Microsoft, abuses admin credentials to gain ascendancy over a network.

Related Resource

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

Whitepaper cover with overhead image of a man sat at a deska with a computer in the centre of a maze in the shadowsFree Download

Notably, MagicWeb compromises an enterprise identity system called Active Directory Federation Server (AD FS).

"MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML," explained Microsoft.

From emulating USAID in spear-phishing campaigns to installing a post-compromise backdoor called FoggyWeb that amasses details from AD FS, Microsoft forewarns Nobelium is "highly active”.

Back in April 2021, Nobelium employed FoggyWeb to remotely exfiltrate sensitive information from a compromised AD FS server, while also controlling token-signing and token-encryption certificates.

Drawing a comparison, Microsoft states MagicWeb "goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly". It makes use of SAML x509 certificates that "contain enhanced key usage (EKU) values that specify what applications the certificate should be used for".

"This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary," added Microsoft.

As a precaution, Microsoft recommends enterprises isolate their AD FS infrastructure and limit access to admin accounts, or migrate to Azure Active Directory.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022