Microsoft warns of Nobelium hackers using FoggyWeb backdoor

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Microsoft has warned of a new FoggyWeb backdoor being used by Nobelium, the same state-sponsored hacking group believed to be responsible for SolarWinds supply-chain attacks.

According to Microsoft, the notorious attacker group Nobelium is using a never-before-seen post-exploitation backdoor that can steal sensitive data from a compromised AD FS (Active Directory Federation Services) server.

What is FoggyWeb?

According to a report from Microsoft Threat Intelligence Center (MSTIC), Nobelium uses a range of new tactics in their new campaign, one of which involves using FoggyWeb backdoor, to gain admin-level access to AD FS servers. Reportedly, FoggyWeb was first discovered in April 2021.

FoggyWeb backdoor is a highly pervasive and targeted backdoor capable of remotely exfiltrating sensitive data, receiving malicious commands from the attacker-controlled C2 server, and executing those on the victim’s server.

Nobelium uses FoggyWeb backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to

Read the article