SolarWinds Hackers Stole Info From Microsoft AD Servers In New Attack

‘What I cannot get is why customers still do not protect their AD FS keys in an HSM - if they still use AD FS. This was a key vector during the SolarWinds attack and the actor behind it is still chasing these keys,’ Microsoft’s Roger Halbheer writes on LinkedIn.

The hackers behind the SolarWinds campaign have developed a backdoor that exfiltrates sensitive information from compromised Microsoft Active Directory Federation Services (AD FS) servers.

The Redmond, Wash.-based software giant said the “passive and highly targeted” FoggyWeb backdoor remotely steals credentials, configuration databases, and decrypted token-signing and token-decryption certificates from compromised AD FS servers. FoggyWeb has been observed in the wild since April and can be used to download and execute additional components that increase persistence, Microsoft said.

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server,” Ramin Nafisi, senior malware reverse engineer at the Microsoft Threat Intelligence Center, wrote in a blog Monday. “It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.”

[Related: SolarWinds Hackers Breached RNC Via Synnex In New Attack: Report]

When loaded, Nafisi said FoggyWeb functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token. It is designed to help the hackers remotely exfiltrate sensitive information from compromised AD FS servers by configuring HTTP listeners for actor defined URIs that mimic the structure of legitimate URIs used by the target’s AD FS deployment.

The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS servers from the intranet or internet and intercept HTTP requests that match the custom URI patterns defined by the actor. The GET requests prompt FoggyWeb to retrieve token signing certificates, token decryption certificates, or configuration data from the compromised server while covering their tracks.

“Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,” Nafisi wrote in the blog post.

The backdoor also doesn’t need to keep track of version-dependent properties of AD FS such as named pipe names legacy versus modern configuration table names and schemas, Nafisi wrote. FoggyWeb is yet another custom-built malware and tool often showcased by the Russian foreign intelligence service (SVR) in their campaigns, Microsoft said.

The U.S. government formally blamed the SVR in April for the colossal SolarWinds attack, which compromised nine federal agencies as well as more than 100 private sector organizations. The SVR is also known as APT 29, Cozy Bear and Nobelium.

“Protecting AD FS servers is key to mitigating Nobelium attacks,” Nafisi wrote in the blog post. “Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains.” AD FS servers run solely on-premises, according to Microsoft.

Microsoft said it’s already notified customers who were targeted or compromised using the FoggyWeb backdoor. Organizations that believe they’ve been breached or compromised are advised by Microsoft to audit their on-premises and cloud infrastructure for changes the SVR might have made to maintain their access.

Impacted customers should also remove user and app access and re-issue new, strong credentials following documented industry best practices, according to Microsoft. Finally, Microsoft said businesses should use a hardware security module (HSM) to prevent the exfiltration of secrets by FoggyWeb.

“What I cannot get is why customers still do not protect their AD FS keys in an HSM - if they still use AD FS,” Microsoft Chief Security Advisor Roger Halbheer wrote in a LinkedIn post shortly after 3 a.m. ET Tuesday. “This was a key vector during the SolarWinds attack and the actor behind it is still chasing these keys.”