efficient-'magicweb'-malware-subverts-ad-fs-authentication,-microsoft-warns

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Efficient 'MagicWeb' Malware Subverts AD FS Authentication, Microsoft Warns

The attackers responsible for the SolarWinds supply chain attack have added a new arrow to their quiver of misery: A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.

Researchers at Microsoft observed the Russia-backed Nobelium APT using the backdoor after gaining administrative privileges to an Active Directory Federated Services (AD FS) server. With that privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate.

Like domain controllers, AD FS servers can authenticate users. MagicWeb facilitates this on the part of the threat actors by allowing manipulation of the claims passed in authentication tokens generated by an AD FS server; thus, they can authenticate as any user on the network.

According to Microsoft, MagicWeb is a better iteration of the previously used specialized FoggyWeb tool, which also establishes a difficult-to-shake foothold inside victim networks.

“MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly,” Microsoft researchers explained. “It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”

For now, MagicWeb use appears to be highly targeted, according to Microsoft’s advisory.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related News

Nearly 500 million WhatsApp User Records Sold Online

Nearly 500 million WhatsApp User Records Sold Online

In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp users’ mobile…
How to Create ISO Files from Discs – 3 Best Ways

How to Create ISO Files from Discs – 3 Best Ways

An ISO file is a disk image of an optical disc. It is a single file that contains all the…
All You Need to Know About Emotet in 2022

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it’s distributing malicious spam. Let’s dive…