Microsoft has unveiled another piece of malware used by attackers behind the SolarWinds software supply chain attack that was discovered in December.
Security researchers have uncovered numerous modules used by the attack team, which Microsoft calls Nobelium. The United States and the United Kingdom in April formally blamed the attack on the Russian Foreign Intelligence Service (SVR) hacking team, also known as APT29, Cozy Bear and The Dukes.
Microsoft unveiled Nobelium components GoldMax, GoldFinder and Sibot in March, based on other malicious software in the group, including Sunburst / Solarigate, Teardrop and Sunspot.
The recently discovered malware, called FoggyWeb by Microsoft, is a backdoor used by hackers since a targeted server has already been compromised.
In this case, the team uses various tactics to steal network usernames and passwords to gain administrator-level access to Active Directory Federation Services servers, giving them access to an identity and access management infrastructure to control their access. users in applications and resources. This allows attackers to remain within a network even after cleaning. FoggyWeb has been used by hackers since April 2021, according to Microsoft.
The backdoor allows the abuse of the Security Assertion Markup Language (SAML) token, which is used to help users authenticate more easily in applications.
Microsoft recommends that potentially affected customers take three key steps: check infrastructure and cloud infrastructure for configurations and settings per user and per application, remove user and application access, configure and re-issue new, strong credentials, and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.
Useful Tip: How to download and use Microsoft Word for free
Microsoft unveiled more Noeblium infection tools in May, including EnvyScout, BoomBox, NativeZone and VaporRage, as well as a phishing campaign launched on a legitimate US email marketing service.
Source of information: zdnet.com