Nobelium’s post-compromise capability MagicWeb exploits federal agencies, NGOs, IGOs, think tanks

Microsoft security researchers provided details this week of a post-compromise capability, named MagicWeb, which is used by the Nobelium hacker group, to maintain persistent access to compromised environments. It has been identified that Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the U.S., Europe, and Central Asia. 

The Microsoft Threat Intelligence Center (MSTIC) assesses that MagicWeb was likely deployed during an ongoing compromise and was leveraged by Nobelium possibly to maintain access during strategic remediation steps that could preempt eviction.

“MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML,” the researchers said in a post. “NOBELIUM was able to deploy MagicWeb by first gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system. This is not a supply chain attack.” 

Last October, Microsoft disclosed that Russian nation-state hacker Nobelium was attacking a different part of the supply chain, including resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. Nobelium is the same Russian hacking group behind the SolarWinds hack.

Microsoft cautioned that AD FS is an on-premises server, and as with all on-premises servers, deployments can get out of date and/or go unpatched. Furthermore, they can be impacted by local environment compromises and lateral movement. AD FS extends the ability to use single sign-on functionality available within a single security or enterprise boundary to internet-facing applications to provide customers, partners, and suppliers a streamlined user experience while accessing an organization’s web-based applications. 

“AD FS relies on claims-based authentication to validate the identity of the user and their authorization claims,” the post said. “These claims are packaged into a token that can be used for authentication. MagicWeb injects itself into the claims process to perform malicious actions outside the normal roles of an AD FS server.”

The research team said that the attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary. “The backdoor was discovered by Microsoft’s Detection and Response Team (DART) in coordination with MSTIC and Microsoft 365 Defender Research during an ongoing incident response investigation. Microsoft is sharing this information with consent from the client. At the time of this investigation, MagicWeb appears to be highly targeted,” it added.

Like domain controllers, AD FS servers can authenticate users and should therefore be treated with the same high level of security. Customers can defend against MagicWeb and other backdoors by implementing a holistic security strategy including the AD FS hardening guidance. In the case of this specific discovery, MagicWeb is one step of a much larger intrusion chain that presents unique detection and prevention scenarios.

“With all critical infrastructure such as AD FS, it is important to ensure attackers do not gain administrative access. Once attackers gain administrative access, they have many options for further system compromise, activity obfuscation, and persistence,” the researchers said. “We recommend that any such infrastructure is isolated, accessible only by dedicated admin accounts, and regularly monitored for any changes. Other security measures that can prevent this and other attacks include credential hygiene to prevent lateral movement,” they added.

At this time, Microsoft isn’t sharing IOCs on this Nobelium activity. “However, NOBELIUM frequently customizes infrastructure and capabilities per campaign, minimizing operational risk should their campaign-specific attributes be discovered. If MagicWeb is identified in your environment, it’s unlikely to match any static IOCs from other targets such as a SHA-256 value. It’s recommended to use the hunting guidance provided above to investigate your environment,” it added.

Microsoft researchers said that Nobelium’s ability to deploy MagicWeb hinged on having access to highly privileged credentials that had administrative access to the AD FS servers, giving them the ability to perform whatever malicious activities they wanted to on the systems they had access to.

“It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure,” the post said. “AD FS servers provide authentication to configured relying parties, so an attacker who gains administrative access to an AD FS server can achieve total control of authentication to configured relying parties.”

The researchers also ask the critical infrastructure sector to practice credential hygiene, which is critical for protecting and preventing the exposure of highly privileged administrator accounts. “This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall,” they added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.