MagicWeb Mystery Highlights Nobelium Attacker's Sophistication

The authentication bypass used by the Nobelium group, best known for the supply chain attack on SolarWinds, required a massive, real-time investigation to uncover, Microsoft says.

2 Min Read
abstract with an eye demonstrating the concept of identity
Source: Carlos Castilla via Alamy Stock Photo

Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group. 

The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer's AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.

The eight investigators were not focused "so much [on] a whodunit as a how-done-it," Microsoft's Detection and Response Team (DART) stated in its Incident Response Cyberattack Series publication.

"Nation-state attackers like Nobelium have seemingly unlimited monetary and technical support from their sponsor, as well as access to unique, modern hacking tactics, techniques, and procedures (TTPs)," the company stated. "Unlike most bad actors, Nobelium changes their tradecraft on almost every machine they touch."

The attack underscores the increasing sophistication of APT groups, which have increasingly targeted technology supply chains, such as the SolarWinds breach, and identity systems

A "Masterclass" in Cyber Chess

MagicWeb used highly privileged certifications to move laterally through the network by gaining administrative access to an AD FS system. AD FS is an identity management platform that offers a way of implementing single sign-on (SSO) across on-premises and third-party cloud systems. The Nobelium group paired the malware with a backdoor dynamic link library (DLL) installed in the Global Assembly Cache, an obscure piece of .NET infrastructure, Microsoft said.

MagicWeb, which Microsoft first described in August 2022, was built on previous post-exploitation tools, such as FoggyWeb, which could steal certificates from AD FS servers. Armed with these, the attackers could make their way deep into organizational infrastructure, exfiltrating data along the way, breaking into accounts, and impersonating users.

The level of effort needed to uncover the sophisticated attack tools and techniques shows that the upper echelons of attackers require companies to be playing their best defense, according to the Microsoft.

"Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess," the company stated. "In fact, Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia."

Limit Privileges for Identity Systems

Companies need to treat AD FS systems and all identity providers (IdPs) as privileged assets in the same protective tier (Tier 0) as domain controllers, Microsoft stated in its incident response advisory. Such measures limit who can access those hosts and what those hosts can do on other systems. 

In addition, any defensive techniques that raise the cost of operations for cyberattackers can help prevent attacks, Microsoft stated. Companies should use multifactor authentication (MFA) across all accounts throughout the organization and make sure they monitor the authentication data flows to have visibility into potential suspicious events.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights