Microsoft discovers post-compromise trick used by NOBELIUM to authenticate as anyone

Security researchers at Microsoft have discovered a post-compromise capability or trick used by NOBELIUM to maintain persistent access to compromised environments. NOBELIUM is a highly active threat actor that executes multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia. 

Dubbed MagicWeb, the post-compromise malware can only be deployed by a threat actor after gaining highly privileged access to an environment and moving laterally to an Active Directory Federated Services (AD FS) server. The malware manipulates the user authentication certificates used for authentication.

According to the researchers, the attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing the malware to be loaded by AD FS instead of the legitimate binary. The backdoor was discovered by Microsoft's Detection and Response Team (DART) in coordination with the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research during an ongoing incident response investigation.

Mitigation

NOBELIUM's ability to deploy MagicWeb hinged on having access to highly privileged credentials that had administrative access to the AD FS servers, giving them the ability to perform whatever malicious activities they wanted to on the systems they had access to, Microsoft wrote in a blog post.

To mitigate this threat, Microsoft recommends the following security measures:

• With all critical infrastructure such as AD FS, it is important to ensure attackers do not gain administrative access. Once attackers gain administrative access, they have many options for further system compromise, activity obfuscation, and persistence. We recommend that any such infrastructure is isolated, accessible only by dedicated admin accounts, and regularly monitored for any changes.
• Practising credential hygiene to prevent lateral movement is critical to preventing this and other attacks. AD FS is an on-premises server, and as with all on-premises servers, deployments can get out of date and/or go unpatched, and they can be impacted by local environment compromises and lateral movement.