Microsoft has uncovered another piece of malware used by the attackers who were behind the SolarWinds software supply chain attack discovered in December.
Security researchers have discovered numerous modules used by the attack group, which Microsoft calls Nobelium. The US and UK in April officially blamed the attack on the hacking unit of the Russian Foreign Intelligence Service (SVR), which are also known as APT29, Cozy Bear, and The Dukes.
Microsoft in March uncovered the GoldMax, GoldFinder, and Sibot components from Nobelium, building on other malware from the group including Sunburst/Solarigate, Teardrop and Sunspot.
The newly discovered malware, called FoggyWeb by Microsoft, is a backdoor used by the attackers after a targeted server has already been compromised.
In this case, the group uses several tactics to steal network usernames and passwords to gain admin-level access to Active Directory Federation Services (AD FS)
Read the article