The threat actors behind the cyberattack on SolarWinds are using a malware variant dubbed FoggyWeb to steal data from compromised Active Directory servers.
In a recent blog post, Microsoft shared an in-depth analysis of the malware, which is being used as a persistent backdoor into victims’ single sign-on servers. The threat group, tracked as Nobelium by Microsoft, has been using FoggyWeb malware in attacks since at least April 2021. Microsoft says FoggyWeb is a post-exploitation backdoor that is used to remotely exfiltrate sensitive data from victims Active Directory Federation Services (AD FS) servers. AD FS servers are used for single sign-on across cloud-based apps in Microsoft environments through the sharing of digital identity and entitlements rights.
Nobelium uses a variety of techniques to steal credentials and escalate privileges to admin on AD FS servers. Once Nobelium has obtained credentials and has successfully compromised a server, it maintains persistence and uses a variety of tools to deepen its intrusion, several of which have already been analyzed and described by Microsoft.
The threat group deploys FoggyWeb to exfiltrate data and download and exfiltrate additional malicious components. “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” explained Microsoft.
The malware abuses the Security Assertion Markup Language (SAML) token in AD FS, and “configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target’s AD FS deployment,” explained Ramin Nafisi, a security researcher at the Microsoft Threat Intelligence Center (MSTIC). “The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.”
The malware is stored in an encrypted file named Windows.Data.TimeZones.zh-PH.pri, and is loaded by a file named version.dll, which leverages the CLR hosting interfaces and APIs to load FoggyWeb in the same Application Domain that legitimate AD FD managed code is executed. That means the backdoor “gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations.”
The backdoor gains access to the AD FS codebase and resources, including the configuration database and inherits the AD FS service account permissions needed to access the AD FS configuration database.
Microsoft has shared details of the malware, Indicators of Compromise (IoC), and has made recommendations on how to mitigate the threat, which include auditing on-premises and cloud infrastructure to look for configuration changes, removing user and app access and reviewing configurations, re-issuing new, strong credentials, and using a hardware security module to block the exfiltration of sensitive data.