Microsoft Security Warning: This malware creates a 'persistent' backdoor for hackers
Microsoft Security Warning: This malware creates a 'persistent' backdoor for hackers to get in.
This custom backdoor lets attackers remotely steal tokens and certificates from Microsoft's identity platform.Microsoft has uncovered another piece of malware used by the attackers who were behind the SolarWinds software supply chain attack discovered in December.Microsoft in March uncovered the GoldMax, GoldFinder, and Sibot components from Nobelium, building on other malware from the group including Sunburst/Solarigate, Teardrop and Sunspot.
The newly discovered malware, called FoggyWeb by Microsoft, is a backdoor used by the attackers after a targeted server has already been compromised. In this case, the group uses several tactics to steal network usernames and passwords to gain admin-level access to Active Directory Federation Services (AD FS) servers, which gives them access to identity and access management infrastructure for controlling user access to apps and resources. This allows the attackers to stay inside a network even after a clean up. FoggyWeb has been used in the wild since as early as April 2021, according to Microsoft.
Microsoft recommends potentially affected customers take three key steps: auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, review configurations, and re-issue new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.