- State-sponsored threat actor Nobelium is deploying a new credential-stealing malware strain, Microsoft said Monday. President Biden previously attributed the 2020 SolarWinds campaign to the threat group.
- Nobelium has previously used a variety of methods to steal credentials and gain administrative-level access to Active Directory Federation Services, according to Microsoft. Nobelium is using the backdoor, which Microsoft calls FoggyWeb, to steal information from the configuration database of compromised AD FS servers, according to the blog post.
- The Cybersecurity and Infrastructure Security Agency is closely analyzing the technical information in the Microsoft blog and is working with stakeholders to identify any impact resulting from the activity, according to a spokesperson. Meanwhile, Microsoft is notifying customers that it has observed being targeted or compromised by FoggyWeb.
Though Microsoft first observed the activity in April, what is immediately unclear is why Microsoft is just now going public with the FoggyWeb disclosures and how many organizations were either targeted or compromised by this new malware.
Also unknown at the moment is how the Biden administration may react to such activity if it is confirmed as the work of Russian state-sponsored threat actors.
President Joe Biden directly confronted Russian President Vladimir Putin alleging a pattern of malicious activity against the U.S. that included the SolarWinds activity, which federal officials linked to the Russian SVR. Authorities have also accused Russia of looking the other way while criminal ransomware gangs have targeted major U.S. industries, including during the Colonial Pipeline attack in May and JBS USA attack weeks later.
Since the SolarWinds campaign was initially disclosed in December 2020, Microsoft has identified several new malware strains used by the threat actor to gain persistence after the initial attack.
In March, Microsoft identified GoldMax, GoldFinger and Sibot, which were deployed against certain compromised customer networks who were targets of the SolarWinds campaign during August and September of 2020.
In late May, Microsoft identified an early stage toolset that was part of a broader email campaign against diplomatic and government targets. These tools, observed as early as February 2021, were called EnvyScout, BoomBox, NativeZone and VaporRage.
If customers believe they are compromised by FoggyWeb, Microsoft offered several mitigation steps:
- Audit on-premises and cloud infrastructure, including configuration, per user and per app settings and forwarding rules. The threat actor may have changed these settings to maintain access.
- Remove user and app access and review configurations for each. Customers should also reissue new and strong credentials based on the best industry practices.
- Organizations should also use a hardware security module illustrated in instructions for securing AD FS servers. This is designed to prevent FoggyWeb from exfiltrating confidential data.