Microsoft recently identified that the Nobelium hacker gang is using a new malware to deliver additional payloads and steal sensitive data from AD FS (Active Directory Federation Services) servers.
Nobelium is the hacking division of the Russian Foreign Intelligence Service (SVR), also known as APT29, Cozy Bear, or The Dukes. In April, the US government publicly accused the SVR section of conducting “broad-scale cyber espionage operations.”
According to cybersecurity company Volexity, the attacks were also connected to APT29 operators relying on methods used in prior instances from 2018.
Microsoft Threat Intelligence Center (MSTIC) experts have named this malware FoggyWeb. It is a “passive and highly targeted” backdoor that leverages the Security Assertion Markup Language (SAML) token.
Its purpose is to aid attackers in remotely exfiltrating sensitive data from hacked AD FS servers by setting HTTP listeners for actor-defined URIs to capture GET/POST requests submitted to the AD FS server aligning the custom URI patterns.
According to Microsoft, NOBELIUM leverages FoggyWeb to remotely access the configuration database of hacked AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as download and run extra features.
Moreover, new malicious components can also be sent from a command-and-control (C2) server and executed on the hacked server.
FoggyWeb functions as a perpetual backdoor that allows the misuse of SAML tokens and configures HTTP listeners for actor-defined URIs to capture GET/POST requests submitted to the AD FS server:
“When loaded, the FoggyWeb backdoor (originally named Microsoft.IdentityServer.WebExtension.dll by its developer) functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token. The backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target’s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor,” Microsoft’s security team wrote.
Since April 2021, the FoggyWeb backdoor has been used in the wild by Russian state hackers.