Microsoft has warned that the hacker group behind the 2020 SolarWinds supply chain attack is using a new method to bypass authentication on corporate networks.
The gimmick, a highly specialized feature that Microsoft calls “MagicWeb,” allows members to maintain a strong online position even as defenders try to kick them out.
However, unlike past attacks by the group that Microsoft tracks as Nobelium, they do not use supply chain attacks to deploy MagicWeb, but rather abuse administrator credentials.
Nobelium remains “highly active”
The US and UK allege that the Nobelium actors belong to a hacker unit of the Russian Foreign Intelligence Service (SVR). Nobelium members have carried out several high-profile attacks on the supply chain since SolarWinds’ software building systems were compromised in late 2020. This attack compromised 18,000 targets, including several US agencies and technology companies, including Microsoft.
Since then, Microsoft and other security companies have identified several sophisticated tools such as backdoors used by Nobelium, and MagicWeb is the latest. MagicWeb targets enterprise identity systems, specifically Active Directory Federation Services (AD FS), i.e. on-premises AD servers, not Azure Active Directory in the cloud. Therefore, Microsoft recommends isolating AD FS and restricting access to it.
Microsoft indicates that Nobelium remains “very active”. Last July, Microsoft said it had discovered information-stealing malware called Nobelium on the PC of one of its support agents, which was then used to attack others. Nobelium actors have also impersonated USAID, the United States Agency for International Development, in spear-phishing campaigns.
Handling authentication certificates
In October, Microsoft drew attention to Nobelium’s attacks on software and cloud service resellers, once again abusing the trust of vendors and customers to use direct access to customers’ computer systems.
A month before the attacks on cloud service resellers, Microsoft exposed a Nobelium tool called “FoggyWeb”, a post-compromised backdoor that harvests information from a content management system to obtain certificates that sign and encrypt tokens and deploy malware.
MagicWeb uses similar methods for AD FS, but Microsoft says they “go beyond FoggyWeb’s data collection capabilities to directly facilitate covert access.” »
“MagicWeb is a malicious DLL that allows manipulation of claims passed in tokens generated by the AD FS server. It manipulates user authentication certificates used for authentication rather than signing certificates used in attacks like Golden SAML. »
As Microsoft explains, SAML refers to a “Security Assertion Markup Language” that uses x509 certificates to establish trust relationships between identity providers and services, and to sign and decrypt tokens.
Targeted attacks, say Redmond experts
Before MagicWeb was deployed, participants were granted access to highly privileged credentials and then roamed the network horizontally to gain administrative rights.
“This is not an attack on the supply chain,” Microsoft notes. “The attacker had administrator access to the AD FS system and replaced the legitimate DLL with their own malicious DLL, causing AD FS to download malware instead of the legitimate binary. »
The Redmond-based security teams Microsoft MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) discovered MagicWeb on customer systems. The company believes that MagicWeb is used in “targeted” attacks.
Microsoft recommends that customers keep their AD FS infrastructure isolated and accessible only by dedicated administrative accounts, or migrate to Azure Active Directory.
Microsoft provides a detailed explanation of how MagicWeb manages to bypass authentication. The explanation is based on an understanding of how AD FS “claims-based authentication” works. Instead of SSO for an organization, AD FS can use “claims” (tokens) to allow external parties—customers, partners, and vendors—to authenticate with SSO.
“MagicWeb is being injected into the enrollment process to perform malicious activities outside of normal AD FS server roles,” explains Microsoft.
How to secure the identity and authentication infrastructure?
MagicWeb also abuses SAML x509 certificates, which “contain Enhanced Key Usage (EKU) values that indicate which applications the certificate should be used for. » EKUs include object identifier (OID) values to support, for example, smart card login. Organizations can also create their own OIDs to limit the use of certificates.
“MagicWeb authentication bypass involves passing a non-standard Enhanced Key Usage OID that is hard-coded into MagicWeb malware during an authentication request for the specified primary username,” explains Microsoft.
“When this hard-coded unique OID value is encountered, MagicWeb causes the authentication request to bypass all standard AD FS processes (including multi-factor authentication checks) and validate user requests. MagicWeb manipulates user authentication certificates used in SAML signatures, not SAML assertion signing certificates used in attacks such as Golden SAML. »
Defenders working in organizations that may be under attack should refer to the Microsoft blog post for advice on how to harden networks and secure identity and authentication infrastructure.
Source: .com