February 10, 2023 By Robert Lemos
Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group.
The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer's AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.