Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group.
The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer's AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.
The eight investigators were not focused "so much [on] a whodunit as a how-done-it," Microsoft's Detection and Response Team (DART) stated in its Incident Response Cyberattack Series publication.
"Nation-state attackers like Nobelium have seemingly unlimited monetary and technical support from their sponsor, as well as access to unique, modern hacking tactics, techniques, and procedures (TTPs)," the company stated. "Unlike most bad actors, Nobelium changes their tradecraft on almost every machine they touch."
A "Masterclass" in Cyber Chess
MagicWeb used highly privileged certifications to move laterally through the network by gaining administrative access to an AD FS system. AD FS is an identity management platform that offers a way of implementing single sign-on (SSO) across on-premises and third-party cloud systems. The Nobelium group paired the malware with a backdoor dynamic link library (DLL) installed in the Global Assembly Cache, an obscure piece of .NET infrastructure, Microsoft said.
MagicWeb, which Microsoft first described in August 2022, was built on previous post-exploitation tools, such as FoggyWeb, which could steal certificates from AD FS servers. Armed with these, the attackers could make their way deep into organizational infrastructure, exfiltrating data along the way, breaking into accounts, and impersonating users.
The level of effort needed to uncover the sophisticated attack tools and techniques shows that the upper echelons of attackers require companies to be playing their best defense, according to the Microsoft.
"Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess," the company stated. "In fact, Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia."
Limit Privileges for Identity Systems
Companies need to treat AD FS systems and all identity providers (IdPs) as privileged assets in the same protective tier (Tier 0) as domain controllers, Microsoft stated in its incident response advisory. Such measures limit who can access those hosts and what those hosts can do on other systems.
In addition, any defensive techniques that raise the cost of operations for cyberattackers can help prevent attacks, Microsoft stated. Companies should use multifactor authentication (MFA) across all accounts throughout the organization and make sure they monitor the authentication data flows to have visibility into potential suspicious events.