Microsoft has published extensive information on new malware it calls FoggyWeb, deployed by Russia-linked threat actors Nobelium who are said to be behind the devastating SolarWinds supply chain attack on corporate and government IT systems worldwide.
FoggyWeb is backdoor used against Active Directory Federation Services servers, which provide single sign-on for users. The malware can be used to remotely exfiltrate sensitive information from AD FS servers compromised by Nobelium. This includes the AD FS server configuration database, decrypted token-signing, and decryption certificates.
FoggyWeb was widely observed and is a highly targeting backdoor capable of exfiltrating sensitive information from a compromised AD FS server. It’s also uses the command & control server to download the additional malicious component and execute into the compromised servers.
Post compromising process, attackers dropping two files in which one has stored a FoggyWeb while other files act as a loader responsible for loading the encrypted FoggyWeb backdoor and decrypting the backdoor using Lightweight Encryption Algorithm (LEA).
- %WinDir%ADFSversion.dll
- %WinDir%SystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri
Attackers also loading the AD FS service executable with the help of DLL search order hijacking technique.
FoggyWeb can also receive further malware from Nobelium command and control servers and run these on compromised AD FS instances. Customers believed to be attacked by Nobelium and FoggyWeb have been alerted by Microsoft, which recommends that AD FS users take a range of measures to secure their servers.
The company said FoggyWeb is detected by its Defender 365 anti-malware utility.
Mitigations by Microsoft
- ADFS admin rights to be ensured
- Reduce local Administrators’ group membership on all AD FS servers.
- Use MFA as mandate
- Limit on-network access via host firewall.
- Ensure AD FS Admins use isolated workstations to protect their credentials.
- Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
- Protect signing keys or certificates in a hardware security module (HSM) attached to AD FS.
- Set logging to the highest level and send the AD logs to a SIEM to correlate with AD authentication as well as Azure AD.
- Remove unnecessary protocols and Windows features.
- Use a long (>25 characters) and complex password for the AD FS service account. Group Managed Service Account (gMSA) as the service account recommended, as it removes the need for managing the service account password over time by managing it automatically.
- When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.
Indicators Of Compromise
| Type | Threat Name | Threat Type | Indicator |
| MD5 | FoggyWeb | Loader | 5d5a1b4fafaf0451151d552d8eeb73ec |
| SHA-1 | FoggyWeb | Loader | c896ece073dd01191cbc1d462bc2f47161828a83 |
| SHA-256 | FoggyWeb | Loader | 231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1 |
| MD5 | FoggyWeb | Backdoor (encrypted) | 9ff9401315d0f7258a9fcde0cfdef02b |
| SHA-1 | FoggyWeb | Backdoor (encrypted) | 4597431f26424cb814c917168fa8d74d01ab7cd1 |
| SHA-256 | FoggyWeb | Backdoor (encrypted) | da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169 |
| MD5 | FoggyWeb | Backdoor (decrypted) | e9671d294ce41fe6dbb9637dc0157a88 |
| SHA-1 | FoggyWeb | Backdoor (decrypted) | 85cfeccbb48fd9f498d24711c66e458e0a80cc90 |
| SHA-256 | FoggyWeb | Backdoor (decrypted) | 568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6 |
