New MagicWeb AD Exploit Shows Value of Cloud, Zero TrustRussian-Based Malware Enables Attackers to Login as Any User and Bypass MFA
Recently discovered Russian-linked MagicWeb malware that exploits on-premises Microsoft Active Directory Federated Services underscores the benefits of cloud-based infrastructure and zero trust, security researchers say.
Microsoft in an alert this week said Nobelium, the Russian state-sponsored group linked to the Solar Winds supply chain hack in 2020, deployed MagicWeb by gaining access to "highly privileged credentials" at an unnamed organization and then moved laterally to gain administrative privileges to an Active Directory Federated Services system.
MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by Active Director server, giving attackers the ability to "sign in as any user' and bypass multi-factor authentication, Microsoft says. To safeguard against such attacks, the software giant recommends isolating the infrastructure, ensuring proper monitoring, limiting access to dedicated admin accounts, and consider moving to a cloud-based solution such as Azure Active Directory for federated authentication.
"AD FS is an on-premises server, and as with all on-premises servers, deployments can get out of date and/or go unpatched, and they can be impacted by local environment compromises and lateral movement," according to the Microsoft advisory.
The incident highlights the inherent weakness of taking a hybrid approach to Azure Active Directory, which many organizations have adopted in recent years as they straddle the data center and the cloud, says Aaron Turner, chief technology officer of SaaS Protect at Vectra, a San Jose, California-based AI cybersecurity company. Many thought retaining on-premises control of accounts in the legacy Active Directory would provide better visibility into attempts to compromise identities.
"Unfortunately, that hybrid approach has only resulted in effectively doubling the attack surface that organizations have to manage," Turner tells Information Security Media Group. "We saw this with the Hafnium campaign where on-premises Exchange server vulnerabilities were used to pivot into Exchange Online. The Nobelium group showed their ability to move between on-premises and cloud a year ago, so this latest disclosure is just an extension of their already advanced Microsoft 365 attack capabilities."
The incident also makes the case for a zero trust architecture, which incorporates multifactor authentication, least privilege and the need for each user, device, application and transaction to be continually verified, says Chase Cunningham, chief security officer of Ericom Software and a zero trust expert.
"This is also more proof that the cloud is a good way to go because you could have more control capability and visibility," Cunningham tells ISMG. "Preventing something like this would be pretty difficult, but on the zero trust side of it, I would say with the isolation and segmentation and mandatory requirements for the authentication protocols would have at least limited the ability for this to be as prolific, and it would have employed some control capabilities to isolate it."
Tactics and Techniques
According to Microsoft, Nobelium had to gain privileged access before deploying MagicWeb. Once deployed, the malware created a backdoored DLL by copying the legitimate Microsoft.IdentityServer.Diagnostics.dll file, which is loaded by the AD FS server at startup to provide debugging capabilities, and replaced it with an unsigned version.
The highly privileged access to the Active Directory Federated Services server "meant they could have performed any number of actions in the environment, but they specifically chose to target an AD FS server to facilitate their goals of persistence and information theft during their operations."
Active Directory Federated Services is designed to provide single sign-on capabilities in internet-facing applications to provide customers, partners, and suppliers a streamlined user experience while accessing an organization's web-based applications. It uses claims-based authentication to validate the identity of the user and their authorization claims, which are packaged into a token and can be used for authentication. "MagicWeb injects itself into the claims process to perform malicious actions outside the normal roles of an AD FS server," Microsoft says.
'Highly Active' Russian Adversary
U.S. and U.K. national security agencies have said that Nobelium is associated with the Russian Foreign Intelligence Service and is also known as StellarParticle, Cozy Bear and APT29. Microsoft says Nobelium is a "highly active" group known for abuse of identities and credentialed access as a method for maintaining persistence.
MagicWeb is similar to the group's FoggyWeb malware discovered in September 2021 to have the ability to exfiltrate the configuration database of compromised Active Directory Federated Services servers, decrypt token-signing certificates and token-decryption certificates, and download and execute additional malware components. MagicWeb goes a step further by downloading a malicious DLL that manipulates user authentication certificates, Microsoft says.
While the purpose of the MagicWeb backdoor appears to be maintaining persistence, this new technique appears to be a single step in a sophisticated attack chain, says Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows.
"APT29 is well-known for carrying out highly targeted attacks on the government, critical infrastructure and other related sectors," Hoffman tells Information Security Media Group. "To achieve its goals, APT29 heavily relies on advanced in-house built tools and email-based spearphishing attacks."
The group compromised at least one email account at 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020, according to the U.S. Department of Justice. These various intrusions at federal prosecutors' offices targeted the Microsoft Office 365 accounts belonging to department employees.
The group is known for its "unpredictable approach to espionage operations, alternating between deliberate, aggressive tactics and slower, more methodical approaches," she says.
Microsoft says the attack against its client was "highly targeted," but warns that other threat actors could adopt similar tactics.
"As was shown by the Nobelium attacks last year, their techniques rapidly proliferated into the ransomware community," Turner says. "This resulted in OneDrive ransomware attacks run by a wide range of bad actors. We should assume that their latest techniques will be rapidly copied."
Protecting Against Attacks
The success of these and other attacks, combined with recent compromises of multi-factor authentication validates Microsoft's recommendation to move to Azure, says Turner at Vectra.
"These latest Nobelium attacks should serve as critical motivation for organizations to accelerate their migration to native Azure AD for authentication for organizations relying on M365 services like Exchange Online, OneDrive and Teams," Turner says.
However, Microsoft's recommendation to the move to the cloud is a bit "self-serving," says John Bambenek, principal threat hunter at Netenrich, a San Jose-based security and operations analytics SaaS company. Bambenek says additional internal controls could have caught the hack.
"Several things could detect this in on-prem environments like behavioral analytics, especially for privileged users, hardening AD FS as a critical asset and file integrity monitoring that looks for modified DLLs," Bambenek says.
Cunningham adds that Microsoft's recommendation to isolate the infrastructure and ensure proper monitoring is "cyber 101-type" advice. Microsoft is doing a good job of identifying threats and responding to them, he says, "It really is just that they have the largest attack surface … it's great for building things, but it's also bad for giving people avenues of compromise."