Skip to main content

Microsoft warns of latest malware attack, explains how to avoid secret backdoor

Microsoft has recently discovered another type of malware, named FoggyWeb by Microsoft, that hackers are currently using to remotely steal network admin credentials. The credentials allow the attacker group, which the company has called Nobelium, to hack into admin accounts of the Active Directory Federation Services’ (AD FS) servers and control users’ access to various resources.

Microsoft claims that this is the same group behind the SolarWinds software supply chain attack that was revealed in December.

Privacy security stock photo.
Darwin Laganzon - typographyimages/Pixabay

The malware acts as a backdoor for the hackers and facilitates their remote theft of tokens and certificates from Microsoft’s identity platform.

The newly discovered malware is used by the attackers once the server they’re targeting has already been compromised in terms of security. The hacker group uses several tactics to access users’ identities and the necessary infrastructure that is required to take control of their app usage.

Ramin Nafisi of the Microsoft Threat Intelligence Center says: “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components”.

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” Microsoft adds.

The backdoor that Nobelium manages to get past allows the hacker to access the Security Assertion Markup Language (SAML) token. This token is for assisting users to authenticate apps. Hacking the token permits the attackers to stay inside the network even after regular cleanups. In fact, according to Microsoft, FoggyWeb has been in use since April 2021.

Microsoft has uncovered a number of modules used by Nobelium. These include the GoldMax, GoldFinder, and Sibot components. These were built with the help of other malware that the same group was found guilty of using. These include Sunburst, Solarigate, Teardrop, and Sunspot.

For people who fall prey to the attack, Microsoft recommends auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, reviewing configurations, and reissuing new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.

Editors' Recommendations

Dua Rashid
Former Digital Trends Contributor
Dua is a media studies graduate student at The New School. She has been hooked on technology since she was a kid and used to…
Microsoft stopped the largest DDoS attack ever reported
Nvidia T4 Enterprise Server Wall

Distributed Denial-of-Service (DDoS) attacks have become more common, and Microsoft recently published a blog post looking into the trends for such attacks on its own servers. In that post, the company says that, at one point, it stopped one of the largest-ever-recorded DDoS attacks on a Microsoft Azure server in Asia.

According to Microsoft's data, in November, an unnamed Azure customer in Asia was targeted with a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps.) The attack came from 10,000 sources from multiple countries across the globe, including China, South Korea, Russia, Iran, and Taiwan. The attack itself lasted 15 minutes. Yet it is not the first one of such scale, as there were two additional attacks, one of 3.25 Tbps and another of 2.55 Tbps in December in Asia.

Read more
Microsoft explains in detail how Xbox Series X Smart Delivery will work
xbox series x

Microsoft has shared more details on its Smart Delivery service as it prepares to transition from the Xbox One console to the upcoming Xbox Series X.

Microsoft unveiled Smart Delivery in February, saying that players will automatically get Xbox Series X versions of games they previously purchased digitally on the Xbox One at no additional charge. In a blog post on Monday, Microsoft said Smart Delivery will be available to all third-party developers but cautioned it'll be up to those developers to support the feature. If they don't, the feature won't be available on their games.

Read more
Beware of malware, adware when downloading Google Chrome through Microsoft Edge
microsoft edge click to run flash header

New Windows 10 PC owners should be careful about downloading Google Chrome through Microsoft Edge, as Bing is apparently returning search results that contain malware and adware.

There is a running joke that the only purpose of Microsoft Edge is to download Google Chrome, but it appears that the tables could easily turn for users who are not careful. Fortunately, Twitter user Gabriel Landau did not fall prey to a fake Google Chrome download page returned by a Bing search.

Read more