Follow us

Microsoft warns of newly detected Nobelium Malware

NOBELIUM employs different tactics to pursue credential theft to gain admin-level access.

Updated: October 6, 2021 By Ozair Malik

Title image for “Microsoft warns of newly detected Nobelium Malware

Image source — freepik.com

In recent depth analysis of Microsoft Threat Intelligence Centre (MSTIC) declared a newly detected NOBELIUM malware: a post-exploitation backdoor referred to as FoggyWeb.

Microsoft has notified all customers observed being targeted or compromised by this activity.

 Said Nafasi in a disclosure blog

Microsoft profiled NOBELIUM’s GoldMax, Goldfinger, and Sibot malware, used for layered persistence and early toolset comprising EnvyScout, BoomBox, NativeZone, and VaporRage, the actor behind the SUNBURST backdoor, TEARDROP related malware.

 And Tim Cook stated it perfectly;

If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.


Backdoor targeting AD FS

FoggyWeb is a backdoor that can easily fetch encrypted information from a compromised AD FS server. This malware receives additional malicious components from a command-and-control (C2) server and releases them on the compromised server.

After gaining access to  AD FS server, this actor drops the following two files on the victims’ computer

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

The file named version.dll is the loader of this Nobelium. After loading, the encrypted FoggyWeb backdoor file is an algorithm (LEA) that decrypts to the backdoor in memory.

Structure of Micrsoft.IdentityServerServiceHost.exe.

Image source – microsoft.com

The developer of the FoggyWeb backdoor has named it originally as “Microsoft.IdentityServer.WebExtension.dll “functions at the backdoor that allows abuse of the Security Assertion Markup Language (SAML) token. The backdoor releases HTTP listeners for pre-defined URIs that copy the structure of the original URIs used by the target’s AD FS deployment. Listeners monitor all incoming HTTP GET/POST requests sent to the AD FS server and intercept HTTP requests that match the custom URI patterns defined by the Nobelium.

Such as:

  • HTTP GET URI pattern:
    • /adfs/portal/images/theme/light01/profile.webp
    • /adfs/portal/images/theme/light01/background.webp
    • /adfs/portal/images/theme/light01/logo.webp
  • HTTP POST URI pattern:
    • /adfs/services/trust/2005/samlmixed/upload

Each URI pattern above corresponds to a command-and-control server.

FoggyWeb runs as part of the main Active Directory Federation Services process; it inherits the AD FS service account permissions to access the AD FS configuration database. Similar to the tools such as ADFSDump.

FoggyWeb loads into the same application domain as the AD FS managed code; it gains programmatical access to the legitimate AD FS classes, methods, properties, components, etc. That FoggyWeb subsequently leverages to facilitate its malicious operations.


Identifying such Trojans and Malware

Now, the question arises is that How can we know of such Trojans and malware? And if we are exposed to them

To prevent NOBELIUM attacks, the AD FS servers must be protected. Detecting and blocking malware, attacker activity. Microsoft Defender Antivirus (MDA) has seen the new NOBELIUM components discussed as the following malware:

  • Loader: Trojan: Win32/FoggyWeb.A!dha
  • Backdoor: Trojan:MSIL/FoggyWeb.A!dha

Microsoft recommends following of its tools to prevent Trojans and malware like NOBELIUM

Azure AD Identity Protection

Azure AD identifies risks of different types, such as:

  • Anonymous IP address use
  • IP address linked with malware
  • Leaked credential details
  • And more…

Azure gives risks signals and immediately provides Remediation, requiring users to perform Authentication, self-service password reset, or blocking actions without the administrator.

Attacks like NOBELIUM, FoggyWeb, and Backdoors can also be detected in the cloud using Azure AD Identity Protection.

Microsoft 365 Defender

Microsoft Defender for Endpoint has centralized configuration and administration, APIs

EDR is capable of:

  • Threat and Vulnerability Management
  • Attack Surface Reduction
  • Next-Generation Protection
  • Endpoint Detection and Response
  • Auto investigation and Remediation
  • Microsoft Threat Experts

Endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint detects malicious behavior like this malware with different alerts like “suspicious DLL was loaded,” “suspicious file launched,” “suspicious activity.”


FoggyWeb Mitigations

MSTIC recommends organizations secure AD FS deployments through several different practices like:

  • Give admin rights only to AD FS Admins.
  • More local Administrators on AD FS servers could be dangerous.
  • Multi-factor Authentication (MFA) is recommended to all cloud admins.
  • Minimal administration capability via agents.
  • Limit on-network access via host firewall.
  • Use of Admin Workstations for protecting credentials.
  • Place AD FS server computer objects in a top-level OU independent of other host servers.
  • They were ensuring about installed certificates protection against theft. These certificates should be timely updated.
  • Protecting signing keys or certificates in an (HSM) attached to AD FS is recommended.
  • They are removing unnecessary protocols.
  • Removing unnecessary Windows features
  • Use of complex passwords for the AD FS service account.use Group Managed Service Account (gMSA) as the service account to manage the account password automatically
  • Update to the latest AD FS version.
  • Follow the best practices When federated with Azure AD for securing and monitoring the AD FS trust with Azure AD.

Conclusion

SolarWinds is a major software company based in Tulsa, Okla.; This company provides system management tools and other technical services to many organizations around the globe.

One of the company’s products is an IT performance monitoring system called Orion. As SolarWinds Orian was an IT monitoring system, it had privileged access to IT systems, making it easy to obtain log and system data.

SolarWinds Orian system was involved in the supply chain breach performed by a cybercrime group that was later identified as NOBELIUM by Microsoft. These hackers gained access to the networks, systems, and data of thousands of SolarWinds customers. More than 30,000 public and private organizations used the Orion network management system to manage their IT resources. When the company inadvertently launched the backdoor malware as an update to the Orion software.

On 26-27 June, MTIC published a new disclosure announcement in which it was stated that the same group tried to exploit their support capabilities.

Moreover, Microsoft revealed how they found a piece of information-stealing malware on one of their machines and this same NOBELIUM with the new backdoor malware named FoggyWeb by Microsoft was disclosed

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Write a review

click to select