You should isolate Your Active Directory Federation Server since the top hackers of the Kremlin prize the servers for authentication after they have compromised the target’s network.
Microsoft has advised that hackers responsible for this attack in the 2020 SolarWinds supply chain attack have developed a new method to bypass the security of corporate networks by gaining access.
The secret, a specific capability Microsoft refers to as “Magic Web,” allows the actors to maintain their place in the network, even when defenders try to remove them. But, unlike previous attacks from the group that Microsoft is tracking as Nobelium, they aren’t using supply chain attacks to implement Magic Web; instead, they use administrator credentials.
There is a rumor that the US and UK claim that Nobelium actors are members of the unit that hacks the Russian Foreign Intelligence Service (SVR). Nobelium actors have orchestrated several major supply chain breaches since they fell into the build systems for the software of SolarWinds in the second quarter of 2020. The attack hacked into 18,000 targets, which included several US agencies and tech companies, including Microsoft.
Since then, Microsoft and other security companies have identified many advanced tools, including backdoors employed by Nobelium, and MagicWeb is one of the most recent. MagicWeb is a threat to the enterprise identity system, specifically Active Directory Federation Server (AD FS), a term used to describe the on-premise AD server instead of the Azure Active Directory cloud version. This is why Microsoft suggests the isolation of AD FS and restricting access to it.
Microsoft insists that Nobelium is “highly active.” In July of last year, Microsoft revealed it had discovered malware called info-stealer that was a part of Nobelium on the computer that one support agent later utilized to initiate attacks against other support agents. Nobelium actors have also been impersonating USAID in spear-phishing attacks.
On October 1, Microsoft highlighted Nobelium attacks on cloud and software service resellers and cloud service resellers, yet again utilizing the trust between customer and supplier by gaining access to customer’s IT systems.
One month before the attacks on resellers and cloud servers, the malware was exposed as a Nobelium tool named FoggyWeb. This backdoor post-compromise took the information gathered from the AD FS to gain token signing and token encryption certificates. It also used the credentials to spread malware.
MagicWeb uses similar strategies targeting AD FS, but Microsoft claims that Magic Web “goes beyond the collection capabilities of Foggy Web by facilitating covert access directly.”
“MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”
SAML is a reference to Security Assertion Markup Language, which uses x509 certificates to establish trust relations between identity providers and services and decrypt and sign tokens. Microsoft explains.
Before deploying MagicWeb, the users gained access to highly privileged credentials. They then moved laterally onto the network to obtain access to admin rights for an AF F system.
“This is not a supply chain attack,” Microsoft stated. “The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary.”
The Redmond security teams of the company Microsoft’s MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) discovered MagicWeb on a customer’s systems. It analyzed that MagicWeb is being used for “highly targeted” attacks.
Microsoft recommends that customers keep their AD FS infrastructure isolated and accessible only through designated administrator accounts or switch to Azure Active Directory.
Microsoft provides a comprehensive explanation of the method by which Magic Web can bypass its authentication. The answer is based on how AD FS “claims-based authentication” functions. Instead of having a single sign-on option for one company, AD FS can utilize “claims” (tokens) to let other parties – customers, suppliers, partners, and customers authenticate themselves using a single sign-on.
“MagicWeb injects itself into the claims process to perform malicious actions outside the normal roles of an AD FS server,” Microsoft explains.
MagicWeb also uses SAML x509 certificates which “contain enhanced key usage (EKU) values that specify what applications the certificate should be used for.” SKUs come with Object Identifier (OID) numbers that allow for, for example, SmartCard login. Organizations can also design customized OIDs to limit the use of certificates.
“MagicWeb’s authentication bypass comes from passing a non-standard Enhanced Key Usage OID that is hardcoded in the MagicWeb malware during an authentication request for a specified User Principal Name,” Microsoft describes.
“When this unique hard-coded OID value is encountered, MagicWeb will cause the authentication request to bypass all standard AD FS processes (including checks for MFA) and validate the user’s claims. MagicWeb is manipulating the user authentication certificates used in SAML sign-ins, not the signing certificates for a SAML claim used in attacks like Golden SAML.”
Organizations that have the potential to be targeted should read Microsoft’s post on its blog for tips on how to protect networks to protect identities, and authentication systems.