Efficient 'MagicWeb' Malware Subverts AD FS Authentication, Microsoft Warns

2 years ago
August 24, 2022
0 replies
2 views

+54

Jasper_The_Rasper
Moderator
11524 replies

The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user.

August 24, 2022 By Dark Reading Staff

The attackers responsible for the SolarWinds supply chain attack have added a new arrow to their quiver of misery: A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.

Researchers at Microsoft observed the Russia-backed Nobelium APT using the backdoor after gaining administrative privileges to an Active Directory Federated Services (AD FS) server. With that privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate.

>> Full Article <<

Be the first to reply!

Reply

Rich Text Editor, editor1

The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user.

Reply

Related Topics

MagicWeb Mystery Highlights Nobelium Attacker's Sophistication

Hackers spoof Microsoft ADFS login pages to steal credentials

Microsoft says attackers use exposed ASP.NET keys to deploy malware

Attackers Hijack Craigslist Emails to Bypass Security, Deliver Malware

Russia-linked Nobelium APT group uses custom backdoor to target Windows domains

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded