Skip to main content

Microsoft warns of latest malware attack, explains how to avoid secret backdoor

Microsoft has recently discovered another type of malware, named FoggyWeb by Microsoft, that hackers are currently using to remotely steal network admin credentials. The credentials allow the attacker group, which the company has called Nobelium, to hack into admin accounts of the Active Directory Federation Services’ (AD FS) servers and control users’ access to various resources.

Microsoft claims that this is the same group behind the SolarWinds software supply chain attack that was revealed in December.

Privacy security stock photo.
Darwin Laganzon - typographyimages/Pixabay

The malware acts as a backdoor for the hackers and facilitates their remote theft of tokens and certificates from Microsoft’s identity platform.

Recommended Videos

The newly discovered malware is used by the attackers once the server they’re targeting has already been compromised in terms of security. The hacker group uses several tactics to access users’ identities and the necessary infrastructure that is required to take control of their app usage.

Ramin Nafisi of the Microsoft Threat Intelligence Center says: “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components”.

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” Microsoft adds.

The backdoor that Nobelium manages to get past allows the hacker to access the Security Assertion Markup Language (SAML) token. This token is for assisting users to authenticate apps. Hacking the token permits the attackers to stay inside the network even after regular cleanups. In fact, according to Microsoft, FoggyWeb has been in use since April 2021.

Microsoft has uncovered a number of modules used by Nobelium. These include the GoldMax, GoldFinder, and Sibot components. These were built with the help of other malware that the same group was found guilty of using. These include Sunburst, Solarigate, Teardrop, and Sunspot.

For people who fall prey to the attack, Microsoft recommends auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, reviewing configurations, and reissuing new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.

Dua Rashid
Former Digital Trends Contributor
Dua is a media studies graduate student at The New School. She has been hooked on technology since she was a kid and used to…
Microsoft explains how thousands of Nvidia GPUs built ChatGPT
Hopper H100 graphics card.

ChatGPT rose to viral fame over the past six months, but it didn't come out of nowhere. According to a blog post published by Microsoft on Monday, OpenAI, the company behind ChatGPT, reached out to Microsoft to build AI infrastructure on thousands of Nvidia GPUs more than five years ago.

OpenAI and Microsoft's partnership has caught a lot of limelight recently, especially after Microsoft made a $10 billion investment in the research group that's behind tools like ChatGPT and DALL-E 2. However, the partnership started long ago, according to Microsoft. Since then, Bloomberg reports that Microsoft has spent "several hundred million dollars" in developing the infrastructure to support ChatGPT and projects like Bing Chat.

Read more
Beware, these free Windows apps are hiding a dangerous secret
A depiction of a hacker breaking into a system via the use of code.

The installation of malware that is being spread via free software sites has been found to be activated following a month-long delay, ultimately helping it avoid exposure.

As reported by Bleeping Computer, the malware campaign is being camouflaged as Google Translate or MP3 downloader programs. In reality, however, it operates as cryptocurrency mining malware for Windows-based systems.

Read more
Microsoft reveals new secret weapon against cybercrime
Window's new Microsoft Security Experts program works to protect users from cybercrime using.

Microsoft announced a new cybersecurity-based initiative that will allow small businesses and huge enterprises alike to tap into the tech giant’s in-house security services and personnel.

Named Microsoft Security Experts, the program will offer security services in the form of three distinct platforms.

Read more