Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium group.
The malware that allowed the authentication bypass — which Microsoft called MagicWeb — gave Nobelium the ability to implant a backdoor on the unnamed customer’s AD FS server, then use specially crafted certificates to bypass the normal authentication process. Microsoft incident responders collected data on the authentication flow, capturing the authentication certificates used by the attacker, and then reverse-engineered the backdoor code.
The eight investigators were not focused “so much [on] a whodunit as a how-done-it,” Microsoft’s Detection and Response Team (DART) stated in its Incident Response Cyberattack Series publication.
“Nation-state attackers like Nobelium have seemingly unlimited monetary and technical support from their sponsor, as well as access to unique, modern hacking tactics, techniques, and procedures (TTPs),” the company stated. “Unlike most bad actors, Nobelium changes their tradecraft on almost every machine they touch.”
The attack underscores the increasing sophistication of APT groups, which have increasingly targeted technology supply chains, such as the SolarWinds breach, and identity systems.
A “Masterclass” in Cyber Chess
MagicWeb used highly privileged certifications to move laterally through the network by gaining administrative access to an AD FS system. AD FS is an identity management platform that offers a way of implementing single sign-on (SSO) across on-premises and third-party cloud systems. The Nobelium group paired the malware with a backdoor dynamic link library (DLL) installed in the Global Assembly Cache, an obscure piece of