Microsoft has revealed new malware utilized by the Nobelium hacking gang to set up additional payloads and hijack sensitive info from Active Directory Federation Services (AD FS) servers.

Nobelium, the attacker behind last year’s SolarWinds supply-chain attack that led to the negotiation of some US federal agencies, is the hacking division of the Russian Foreign Intelligence Service (SVR), generally known as APT29, The Dukes, or Cozy Bear.

The United States government formally exploits the SVR division of carrying out “the broad-scope cyber espionage campaign.” Cybersecurity firm Volexity also linked the attacks to APT29 operators based on technologies observed in past accidents going back to 2018.

Utilized in the Wild since April 2021

The Malware, dubbed by Microsoft Threat Intelligence Center (MSTIC) investigators FoggyWeb, is a “passive and highly targeted” backdoor that affects the Security Assertion Markup Language (SAML) token.

It is created to help the threat actors remotely exfiltrate sensitive information from negotiated AD FS servers by configuring the HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server matching the custom URI patterns.

“NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of negotiated AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to the download and run additional components,” Microsoft said.

“It can also receive additional malicious components from a command-and-control (C2) server and run them on the negotiated server.” FoggyWeb works as a persistent backdoor that allows abuse of SAML tokens and configures HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server that match the custom URI patterns.

The Russian state hackers have been observed using the FoggyWeb backdoor in the wild since April 2021.

FoggyWeb Defense Information

Microsoft has already warned notified customers that were addressed or negotiated using this backdoor.

Organizations that believe they might’ve been breached or compromised are advised to:

• Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
• Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
• Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

In May, Microsoft researchers also reported four other malware families used by Nobelium in their attacks: a downloader known as ‘BoomBox,’ an HTML attachment named ‘EnvyScout,’ a shellcode downloader and launcher named ‘VaporRage,’ and a loader known as ‘NativeZone,’

They reported three more Nobelium malware strains used for layered persistence in March: a command-and-control backdoor dubbed ‘GoldMax,’ a persistence tool and malware dropper named ‘Sibot,” and an HTTP tracer tool tracked as ‘GoldFinder.’