Microsoft has warned of a new FoggyWeb backdoor being used by Nobelium, the same state-sponsored hacking group believed to be responsible for SolarWinds supply-chain attacks.
According to Microsoft, the notorious attacker group Nobelium is using a never-before-seen post-exploitation backdoor that can steal sensitive data from a compromised AD FS (Active Directory Federation Services) server.
What is FoggyWeb?
According to a report from Microsoft Threat Intelligence Center (MSTIC), Nobelium uses a range of new tactics in their new campaign, one of which involves using FoggyWeb backdoor, to gain admin-level access to AD FS servers. Reportedly, FoggyWeb was first discovered in April 2021.
FoggyWeb backdoor is a highly pervasive and targeted backdoor capable of remotely exfiltrating sensitive data, receiving malicious commands from the attacker-controlled C2 server, and executing those on the victim’s server.
“Nobelium uses FoggyWeb backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to
Read the article