Friday, March 29, 2024

New FoggyWeb Malware Attack & Install a Backdoor On Active Directory FS Servers

Researchers from Microsoft uncovered a new malware from NOBELIUM ATP threat group named FoggyWeb that gains a persistence backdoor on Active Directory Federation Services (AD FS) servers.

NOBELIUM is an infamous APT threat group that is behind the various malware attacks such as SUNBURST backdoor, TEARDROP malware, GoldMax, GoldFinder, and Sibot.

FoggyWeb is a newly uncovered malware from the NOBELIUM group that performs on the post-exploitation process to gain the persistence backdoor access and exfiltrate the configuration database of compromised AD FS servers remotely.

FoggyWeb Attacking AD FS

FoggyWeb was widely observed on April 2021 and is a highly targeting backdoor capable of exfiltrating sensitive information from a compromised AD FS servers.

Its also uses the command & control server to download the additional malicious component and execute into the compromised servers.

Post compromising process, attackers dropping two files in which one has stored a Foggyweb while other files act as a loader responsible for loading the encrypted FoggyWeb backdoor and decrypting the backdoor using Lightweight Encryption Algorithm (LEA).

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

Attackers also loading the AD FS service executable with the help of DLL search order hijacking technique.

According to the Microsoft report “After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed.”

It allows attackers to grant backdoor access to the AD FS codebase and resources, also FoggyWeb backdoor as a passive and persistent backdoor when it’s loaded.

The following illustration will define how the actor communicates with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.

FoggyWeb Malware runs in the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database.

In order to option this process, attackers use the ADFSDump that needs to be executed under the user context of the AD FS service account.

“FoggyWeb also gain the programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,”Microsoft said.

Mitigations Suggested by Microsoft:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators’ group membership on all AD FS servers.
  • Require all cloud admins to use multi-factor authentication (MFA).
  • Ensure minimal administration capability via agents.
  • Limit on-network access via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
  • Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
  • Remove unnecessary protocols and Windows features.
  • Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).
  • When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.

Indicators of compromise (IOCs)

TypeThreat NameThreat TypeIndicator
MD5FoggyWebLoader5d5a1b4fafaf0451151d552d8eeb73ec
SHA-1FoggyWebLoaderc896ece073dd01191cbc1d462bc2f47161828a83
SHA-256FoggyWebLoader231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1
MD5FoggyWebBackdoor (encrypted)9ff9401315d0f7258a9fcde0cfdef02b
SHA-1FoggyWebBackdoor (encrypted)4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-256FoggyWebBackdoor (encrypted)da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
MD5FoggyWebBackdoor (decrypted)e9671d294ce41fe6dbb9637dc0157a88
SHA-1FoggyWebBackdoor (decrypted)85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256FoggyWebBackdoor (decrypted)568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6

Found this article interesting!! Follow us on Linkedin,  Twitter,  Facebook for daily Cyber Security News & Updates

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles