Skip to main content

Microsoft warns of latest malware attack, explains how to avoid secret backdoor

Microsoft has recently discovered another type of malware, named FoggyWeb by Microsoft, that hackers are currently using to remotely steal network admin credentials. The credentials allow the attacker group, which the company has called Nobelium, to hack into admin accounts of the Active Directory Federation Services’ (AD FS) servers and control users’ access to various resources.

Microsoft claims that this is the same group behind the SolarWinds software supply chain attack that was revealed in December.

Related Videos
Privacy security stock photo.
Darwin Laganzon - typographyimages/Pixabay

The malware acts as a backdoor for the hackers and facilitates their remote theft of tokens and certificates from Microsoft’s identity platform.

The newly discovered malware is used by the attackers once the server they’re targeting has already been compromised in terms of security. The hacker group uses several tactics to access users’ identities and the necessary infrastructure that is required to take control of their app usage.

Ramin Nafisi of the Microsoft Threat Intelligence Center says: “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components”.

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” Microsoft adds.

The backdoor that Nobelium manages to get past allows the hacker to access the Security Assertion Markup Language (SAML) token. This token is for assisting users to authenticate apps. Hacking the token permits the attackers to stay inside the network even after regular cleanups. In fact, according to Microsoft, FoggyWeb has been in use since April 2021.

Microsoft has uncovered a number of modules used by Nobelium. These include the GoldMax, GoldFinder, and Sibot components. These were built with the help of other malware that the same group was found guilty of using. These include Sunburst, Solarigate, Teardrop, and Sunspot.

For people who fall prey to the attack, Microsoft recommends auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, reviewing configurations, and reissuing new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.

Editors' Recommendations

GPT-4: how to use, new features, availability, and more
A laptop opened to the ChatGPT website.

ChatGPT-4 has officially been announced, confirming the longtime rumors around its improvements to the already incredibly impressive language skills of OpenAI's ChatGPT.

OpenAI calls it the company's "most advanced system, producing safer and more useful responses." Here's everything we know about it so far.

Read more
How Microsoft 365 Copilot unleashes ChatGPT from its restraints
Copilot in Microsoft Word generating results.

Thanks to ChatGPT, natural language AI has taken the world by storm. But so far, it's felt boxed in. With these chatbots, everything happens in one window, with one search bar to type into.

We've always known these large language models could do far more, though, and it was only a matter of time until that potential was unlocked. Microsoft has just announced Copilot, its own integration of ChatGPT into all its Microsoft 365 apps, including Word, PowerPoint, Outlook, Teams, and more. And finally, we're seeing the way generative AI is going to be used more commonly in the future -- and it's not necessarily as a straightforward chatbot.
Bringing natural language into apps

Read more
Firefox just got a great new way to protect your privacy
Canva in Firefox on a MacBook.

If you’re fed up with signing up for new accounts online and then being perpetually spammed in the days and weeks after, Mozilla has an idea that could help. The company has just announced its Firefox Relay feature is being directly integrated into its Firefox web browser, and it could help guarantee your privacy without any extra hassle.

Firefox Relay works by letting you create email “masks” when you sign up for new accounts. Instead of entering your real credentials into the sign-up field, Firefox Relay provides you with a throwaway address and phone number to use. Any messages from the website -- such as purchase receipts -- are then forwarded to your real email address, with all the sender’s tracking information stripped out to protect your privacy.

Read more