Microsoft has published extensive information on new malware it calls FoggyWeb, deployed by Russia-linked threat actors Nobelium who are said to be behind the devastating SolarWinds supply chain attack on corporate and government IT systems worldwide.

FoggyWeb is backdoor used against Active Directory Federation Services servers, which provide single sign-on for users. The malware can be used to remotely exfiltrate sensitive information from AD FS servers compromised by Nobelium. This includes the AD FS server configuration database, decrypted token-signing, and decryption certificates.

FoggyWeb was widely observed and is a highly targeting backdoor capable of exfiltrating sensitive information from a compromised AD FS server. It’s also uses the command & control server to download the additional malicious component and execute into the compromised servers.

Post compromising process, attackers dropping two files in which one has stored a FoggyWeb while other files act as a loader responsible for loading the encrypted FoggyWeb backdoor and decrypting the backdoor using Lightweight Encryption Algorithm (LEA).

  • %WinDir%ADFSversion.dll
  • %WinDir%SystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri

Attackers also loading the AD FS service executable with the help of DLL search order hijacking technique.

FoggyWeb can also receive further malware from Nobelium command and control servers and run these on compromised AD FS instances. Customers believed to be attacked by Nobelium and FoggyWeb have been alerted by Microsoft, which recommends that AD FS users take a range of measures to secure their servers.

The company said FoggyWeb is detected by its Defender 365 anti-malware utility.

Mitigations by Microsoft

  • ADFS admin rights to be ensured
  • Reduce local Administrators’ group membership on all AD FS servers.
  • Use MFA as mandate
  • Limit on-network access via host firewall.
  • Ensure AD FS Admins use isolated workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • Protect signing keys or certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD logs to a SIEM to correlate with AD authentication as well as Azure AD.
  • Remove unnecessary protocols and Windows features.
  • Use a long (>25 characters) and complex password for the AD FS service account. Group Managed Service Account (gMSA) as the service account recommended, as it removes the need for managing the service account password over time by managing it automatically.
  • When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.

Indicators Of Compromise

TypeThreat NameThreat TypeIndicator
MD5FoggyWebLoader5d5a1b4fafaf0451151d552d8eeb73ec
SHA-1FoggyWebLoaderc896ece073dd01191cbc1d462bc2f47161828a83
SHA-256FoggyWebLoader231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1
MD5FoggyWebBackdoor (encrypted)9ff9401315d0f7258a9fcde0cfdef02b
SHA-1FoggyWebBackdoor (encrypted)4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-256FoggyWebBackdoor (encrypted)da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
MD5FoggyWebBackdoor (decrypted)e9671d294ce41fe6dbb9637dc0157a88
SHA-1FoggyWebBackdoor (decrypted)85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256FoggyWebBackdoor (decrypted)568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6
IOC List