The danger actor behind the SolarWinds source chain attack has been connected to still a further “extremely specific” publish-exploitation malware that could be utilized to manage persistent accessibility to compromised environments.
Nobelium was responsible for the SolarWinds breach, disclosed by Microsoft and FireEye (now known as Mandiant) in December 2020.
“Nobelium stays really lively, executing a number of strategies in parallel targeting federal government corporations, non-governmental businesses (NGOs), intergovernmental companies (IGOs), and believe tanks throughout the US, Europe, and Central Asia,” Microsoft mentioned.
what does Magic web do ?
It targets enterprise identity systems, namely Active Directory Federation Server (AD FS), which means on-premise AD servers versus cloud-based Azure Active Directory. As a result, Microsoft recommends isolating AD FS and restricting access to it.
“MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”
SAML refers to Security Assertion Markup Language, which uses x509 certificates to establish trust relationships between identity providers and services.
MagicWeb, which shares similarities with one more tool termed FoggyWeb, is assessed to have been deployed to maintain entry and preempt eviction through remediation initiatives, but only soon after obtaining remarkably privileged access to an atmosphere and transferring laterally to an Ad FS server.
“Nobelium’s ability to deploy MagicWeb hinged on having obtain to really privileged credentials that experienced administrative accessibility to the Ad FS servers, providing them the skill to complete whichever destructive routines they preferred to on the devices they had accessibility to,” Microsoft mentioned.
Especially, this involves disabling an company logging aspect referred to as Purview Audit (earlier Sophisticated Audit) to harvest e-mail from Microsoft 365 accounts.”APT29 carries on to exhibit outstanding operational security and evasion methods,” Mandiant mentioned.