SolarWinds hackers strike again with a new “MagicWeb” authentication exploit
Microsoft warns MagicWeb can abuse admin credentials to hijack AD FS enterprise identity system
Microsoft has warned that Nobelium, the hackers behind the infamous SolarWinds fiasco, have uncovered a novel technique to violate corporate authentication.
In stark contrast to past attacks that leveraged supply chain mechanisms, the new bypass, named "MagicWeb" by Microsoft, abuses admin credentials to gain ascendancy over a network.
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymoreFree Download
Notably, MagicWeb compromises an enterprise identity system called Active Directory Federation Server (AD FS).
"MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML," explained Microsoft.
From emulating USAID in spear-phishing campaigns to installing a post-compromise backdoor called FoggyWeb that amasses details from AD FS, Microsoft forewarns Nobelium is "highly active”.
Back in April 2021, Nobelium employed FoggyWeb to remotely exfiltrate sensitive information from a compromised AD FS server, while also controlling token-signing and token-encryption certificates.
Drawing a comparison, Microsoft states MagicWeb "goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly". It makes use of SAML x509 certificates that "contain enhanced key usage (EKU) values that specify what applications the certificate should be used for".
"This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary," added Microsoft.
As a precaution, Microsoft recommends enterprises isolate their AD FS infrastructure and limit access to admin accounts, or migrate to Azure Active Directory.
AI for customer service
IBM Watson Assistant solves customer problems the first timeView now
Solve cyber resilience challenges with storage solutions
Fundamental capabilities of cyber-resilient IT infrastructureFree Download
IBM FlashSystem 5000 and 5200 for mid-market enterprises
Manage rapid data growth within limited IT budgetsFree download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download