Microsoft says it has uncovered a tactic used by Russia-aligned threat actors that is used to maintain persistent access to compromised environments after leveraging an Active Directory Federation Services (AD FS) server.
In a lengthy blog post, Microsoft details how NOBELIUM—the codename attached to the same threat group that leveraged the SolarWinds Orion platform and other tools to gain access to sensitive U.S. agency networks—uses a post-exploitation capability named MagicWeb.
While similar to a previously discovered post-exploitation capability named FoggyWeb that exfiltrates the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components, MagicWeb goes further by facilitating covert access directly, the company says.
“MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server,” Microsoft security researchers write in the blog. “It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”
Nobelium first gains access to highly privileged credentials and moves laterally to gain admin privileges to an AD FS system, and then replaces a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary.
Microsoft is urging customers to harden their AD FS servers and make sure attackers can’t gain administrative access. Once they do, they have many options for further compromise, obfuscation and persistence.
“We recommend that any such infrastructure is isolated, accessible only by dedicated admin accounts, and regularly monitored for any changes,” Microsoft security professionals say. “Other security measures that can prevent this and other attacks include credential hygiene to prevent lateral movement.”
Since AD FS is an on-premises server, deployments tend to get out of date or go unpatched, which can be compromised locally and by lateral movement.
Microsoft calls on organizations to migrate to a cloud-based identity solution like Azure Active Directory for federated authentication.
While the actions of NOBELIUM are highly targeted against government, non-governmental organizations, intergovernmental organizations and think tanks across the U.S., Europe and Central Asia, Microsoft warns that other threat actors could begin adopting similar techniques, making this threat more widespread.
The company recommends treating AD FS servers as a Tier 0 asset, which means protecting them with the same tools and procedures normally applied to domain controllers or other critical security infrastructure.
A compromise of an AD FS server could lead to total control of authentication to configured relying parties, including Azure AD tenants configured to use the AD FS server, Microsoft says.
Those with admin access should practice credential hygiene to protect and prevent exposure of those highly privileged accounts, especially on more easily compromised systems such as workstations with controls like logon restrictions and preventing lateral movement with controls like Windows Firewall, Microsoft says.
This article was originally published in CS sister publication MyTechDecisions.com. Zachary Comeau is TD’s editor.