Nobelium gang of SolarWinds/Orion notoriety targeting Microsoft Active Directory with FoggyWeb malware

Published 10/06/21, 9:00am

Microsoft is tracking new malware released by the Russian cybercrime gang known as Nobelium (other names include Cozy Bear and APT29). The malware—FoggyWeb—is being described by Microsoft as a “passive and highly targeted backdoor” that targets Active Directory (AD) servers by abusing the Security Assertion Markup Language (SAML) token. Using stolen credentials, Nobelium compromises the servers and then maintains persistence and extends access and infiltration using additional sophisticated malware and tools. 

The FoggyWeb malware is used to remotely exfiltrate the configuration database of compromised AD Federation Services (FS) servers, the token-decryption certificate and decrypted token-signing certificate. Nobelium also uses the malware to download and execute additional components.

Nobelium (aka Cozy Bear and APT29) is the hacking division of the Russian Foreign Intelligence Service (SVR). The FoggyWeb malware is just one more in a long list of malware developed by Nobelium, including SunBurst, SunSpot, Raindrop, and Teardrop. Microsoft researchers believe that Nobelium has been using FoggyWeb in the wild since April 2021. 

To read more on the malware activities of the Russian criminal gang Nobelium, check out the GuidePoint Security blog article ‘Creative Malvertising and Russian Bears Getting Cozy Again’

Next Steps

Microsoft is continuing to work with partners and customers to track and understand Nobelium activities. The company has notified all customers that it has observed being targeted or compromised by Nobelium’s malicious efforts. Microsoft advises the following if a company believes it has been compromised:

• Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access.
• Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
• Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

Security experts also recommend working with identity and access management and vulnerability management experts to better manage the auditing, user access/credential, and configuration processes.