Nobelium, the Russia-backed advanced persistent threat (APT) group which gained notoriety at the end of 2020 after it compromised SolarWinds’ software development supply chain to access espionage targets, continues to employ novel techniques in pursuit of new victims.
This is according to Microsoft’s Threat Intelligence Center (MSTIC), which has published fresh analysis of newly discovered malware used by the group, which it has dubbed FoggyWeb.
The new malware is a post-exploitation backdoor used by Nobelium in pursuit of admin-level access to Active Directory Federation Services (AD FS) servers, which enables it to maintain persistence inside its victims’ networks.
Described as a “passive and highly targeted backdoor”, FoggyWeb is used to remotely exfiltrate the configuration database of a compromised AD FS server, decrypted token-signing certificate and token decryption certificate, and to download and execute more components, according to MSTIC’s Ramin Nafisi, who has been probing the new malware.
“Use of FoggyWeb has been observed in the wild as early as April 2021,” said Nafisi in a disclosure blog. “Microsoft has notified all customers observed being targeted or compromised by this activity.”
For defenders keen to assess whether or not they have been compromised, Microsoft recommends a thorough audit of on-premise and cloud infrastructure, taking into account configurations, per-user and per-app settings, forwarding rules, and any other changes Nobelium may have made; the removal of user and app access pending a review of configurations for each, and a credential reset; and the use of a hardware security module – which is general good practice when it comes to AD FS server security in any case – to stop FoggyWeb from exfiltrating data.
Microsoft said it has already implemented detections and protections to guard against FoggyWeb, and more detail, including indicators of compromise (IOCs), mitigation guidance, detection details and so on, is available for users of Azure Sentinel and Microsoft 365 Defender.
ESET’s Jake Moore backed Microsoft’s call for defenders to be on the alert. “This notorious group are extremely sophisticated and thought to be connected to one of the biggest attacks of the year,” he said. “On this latest discovery, once the server has been compromised via obtained credentials, access can be gained and maintained with further infiltration using additional tools and malware in rather impressive style.”
Besides novel malwares, which presumably it can develop and maintain thanks in part to its ties to the Russian state, Nobelium is also known to fall back on more commonplace and easily detectable techniques, often taking advantage of lax security practice at its targets to compromise them.
This was evidenced earlier in 2021 when Microsoft found it had been hit itself in a campaign of password spraying and brute force attacks. In this instance, Nobelium gained access to a Microsoft support staffer’s system and used that to access downstream Microsoft customers.
However, although state-backed APTs are dangerous, and the James Bond factor means that espionage activity receives a great deal of mainstream attention, they may not present the most pressing risk to the average organisation.
In a newly published report, SecureWorks Counter Threat Unit (CTU) researchers said groups such as Nobelium – which it tracks under the designation Iron Ritual – have “relatively static, long-term intelligence requirements that are reflected in their targeting”, and as such, tend to have a narrow focus on accessing specific data or organisations, which renders them less of a threat than opportunistic cyber criminals or ransomware gangs.
SecureWorks said the SolarWinds compromise was a good example of this tendency, because in all cases where its researchers identified that SolarWinds customers had downloaded the compromised Orion platform update, Nobelium largely rescinded its own access to those networks once it had reached its intended government targets.