Actors responsible for SolarWinds' are back
The attackers behind the Solar Winds supply chain attack APT29 are back and have included a latest weapon to their attack inventory. Known as MagicWeb, a post compromise capability, it is used to keep continuous access to breached environments and moves laterally.
Experts at Microsoft noticed the Russia-backed Nobelium APT using the backdoor after gaining administrative rights to an Active Directory Federated Services (AD FS) server.
Use of MagicWeb to get privileged access
With the help of privileged access, the hackers change a genuine DLL with the malicious MagicWeb DLL, to load the malware with AD FS and make it look legitimate.
Similar to domain controllers, AD FS servers can verify users. MagicWeb enables this on the behalf of hackers by letting the manipulation of the claims that pass through verification tokens generated by an AD FS server, therefore, they can verify as any user on the system.
MagicWeb is better than previous versions
As per Microsoft, MagicWeb is a better version of the earlier used FoggyWeb tool, which also makes a steady foothold inside the target networks.
Researchers at Microsoft say that MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.
In the report, Microsoft mentioned that the hackers are targeting corporate networks with the latest verification technique MagicWeb. It is highly sophisticated and allows hackers to take control of the victim's network even after the defender tries to eject them.
Stealing data isn't the only aim
We should also note that the hackers are not depending on supply chain attacks, this time, they are exploiting admin credentials to execute MagicWeb.
The backdoor secretly adds advanced access capability so that the threat actors can execute different exploits other than stealing data. For example, the threat actor can log in to the device's Active Director as any user.
A lot of cybersecurity agencies have found sophisticated tools, this includes backdoors used by SolarWinds' hackers, among which MagicWeb is the latest one discovered and identified by Microsoft.
How to protect yourself?
To stay safe from such attacks Microsoft recommends "practicing credential hygiene is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall."