Cyberwar / Attacks on Nation States , Fraud and Cybercrime Management , Identity and Access Management
Russian-based malware lets attackers log in as a user and bypass MFA
Cal Harrison •
August 26, 2022
Recently discovered Russia-linked MagicWeb malware that exploits on-premises Microsoft Active Directory federated services underscores the benefits of cloud-based infrastructure and zero trust, security researchers say.
Microsoft on alert this week, Nobelium, the Russian state-sponsored group linked to the 2020 Solar Winds supply chain hack, deployed MagicWeb by accessing “highly privileged credentials” in an anonymous organization and then s is moved laterally to gain administrative privileges on an Active Directory Federated Services System.
MagicWeb is a malicious DLL that allows manipulation of claims passed in tokens generated by the Active Director server, giving attackers the ability to “log in as any user” and bypass multi-factor authentication, Microsoft says. To guard against such attacks, the software giant recommends isolating infrastructure, ensuring proper monitoring, limiting access to dedicated administrator accounts, and considering moving to a server-based solution. cloud such as Azure Active Directory for federated authentication.
“AD FS is an on-premises server, and as with all on-premises servers, deployments may become outdated and/or unpatched, and may be affected by local environment compromises and lateral movement,” in the opinion of Microsoft. .
The incident highlights the inherent weakness of adopting a hybrid approach to Azure Active Directory, which many organizations have adopted in recent years as they straddle the data center and the cloud, says Aaron Turner, CTO of SaaS Protect at Vectra, a San Jose, California-based AI cybersecurity company. Many believed that retaining on-premises control of accounts in the old Active Directory would provide better visibility into attempts to compromise identities.
“Unfortunately, this hybrid approach has only doubled the attack surface that organizations must manage,” Turner told Information Security Media Group. “We saw it with the Hafnium Campaign where on-premises Exchange server vulnerabilities were used to pivot to Exchange Online. The Nobelium Group showed its ability to move from on-premises to cloud a year ago, so this latest disclosure is just an extension of its already advanced Microsoft 365 attack capabilities.
The incident also makes the case for a zero-trust architecture, which incorporates multi-factor authentication, least privilege, and the need for every user, device, application, and transaction to be continually verified, says Chase Cunningham, director of security from Ericom Software and a zero trust specialist.
“It’s also further proof that the cloud is a good way to go because you might have more control and visibility,” Cunningham told ISMG. “Preventing something like that would be quite difficult, but on the zero trust side I would say that with isolation and segmentation and mandatory requirements for authentication protocols, it would have at least limited the possibility of it being also prolific, and he would have used certain controlling abilities to isolate him.
Tactics and techniques
According to Microsoft, Nobelium had to obtain privileged access before deploying MagicWeb. When deployed, the malware created a backdoor DLL by copying the legitimate Microsoft.IdentityServer.Diagnostics.dll file, which is loaded by the AD FS server at startup to provide debugging functionality, and replaced it with an unsigned version.
Highly privileged access to the Active Directory Federated Services server “meant they could have performed any number of actions within the environment, but they specifically chose to target an AD FS server to facilitate their persistence goals and information theft during their operations”.
Active Directory Federated Services is designed to provide single sign-on capabilities in web-facing applications to provide customers, partners, and vendors with a simplified user experience while accessing an organization’s web-based applications. It uses claims-based authentication to validate the user’s identity and their authorization claims, which are bundled into a token and can be used for authentication. “MagicWeb injects itself into the claims process to perform malicious actions outside of the normal roles of an AD FS server,” Microsoft explains.
“Very active” Russian opponent
US and UK national security agencies said Nobelium is associated with the Russian Foreign Intelligence Service and is also known as StellarParticle, Cozy Bear and APT29. Microsoft says Nobelium is a “very active” group known for abusing identities and authenticated access as a method of maintaining persistence.
MagicWeb is similar to that of the group FoggyWeb Malware discovered in September 2021 to have the ability to exfiltrate the configuration database of compromised Active Directory Federated Services servers, decrypt token-signing certificates and token-decrypting certificates, and download and run components additional malware. MagicWeb goes even further by downloading a malicious DLL that manipulates user authentication certificates, Microsoft explains.
Although the goal of the MagicWeb backdoor appears to be to maintain persistence, this new technique appears to be a unique step in a sophisticated attack chain, says Nicole Hoffman, principal cyber threat intelligence analyst at Digital Shadows.
“APT29 is well known for carrying out highly targeted attacks against government, critical infrastructure and other related sectors,” Hoffman told Information Security Media Group. “To achieve its goals, APT29 relies heavily on advanced internal tools and email spear-phishing attacks.”
The group compromised at least one email account at 27 US attorney offices in 15 states and Washington, DC, throughout 2020, according to the US Department of Justice. These various intrusions into the federal prosecutor’s office targeted Microsoft Office 365 accounts belonging to departmental employees.
The group is known for its “unpredictable approach to espionage operations, alternating between deliberate, aggressive tactics and slower, more methodical approaches,” she says.
Microsoft says the attack on its customer was “highly targeted”, but warns that other threat actors could adopt similar tactics.
“As the Nobelium attacks showed last year, their techniques quickly proliferated in the ransomware community,” Turner says. “This has resulted in OneDrive ransomware attacks carried out by a wide range of bad actors. We should assume that their latest techniques will be quickly copied.
Protect yourself from attacks
The success of these and other attacks, combined with recent multi-factor authentication breaches, validates Microsoft’s recommendation to move to Azure, says Vectra’s Turner.
“These latest Nobelium attacks should serve as a primary motivation for organizations to accelerate their migration to native Azure AD for authentication for organizations leveraging M365 services like Exchange Online, OneDrive, and Teams,” Turner said.
However, Microsoft’s recommendation to move to the cloud is a bit “selfish,” says John Bambenek, principal threat hunter at Netenrich, a SaaS security and operations analytics firm based in San Jose, Calif. Bambenek says additional internal checks could have detected the hack.
“Several things could detect this in on-premises environments, such as behavioral analysis, especially for privileged users, hardening AD FS as a critical asset, and file integrity monitoring that looks for DLLs changed,” says Bambenek.
Cunningham adds that Microsoft’s recommendation to isolate infrastructure and ensure proper oversight is “cyber 101” advice. Microsoft does a good job of identifying threats and responding to them, he says, “It’s really just that they have the biggest attack surface…it’s great for building things, but it’s as bad at giving people room for compromise.”