Microsoft researchers disclosed discovering that the Russian threat group Nobelium of having the ability to maintain access to compromised environments via a capability they're calling "MagicWeb." (Photo by David Ramos/Getty Images)Microsoft security researchers say they’ve discovered that the threat group responsible for the SolarWinds attack has been able to maintain access to compromised environments via a capability they’re calling “MagicWeb.”The threat group Nobelium is still highly active and has been executing multiple campaigns targeting multiple government-related organizations and think tanks across the United States, Europe and Central Asia, Microsoft’s Threat Intelligence Team posted to its blog this week.The security researchers said MagicWeb was likely deployed during an ongoing compromise and was used by the Russian-sponsored threat group to maintain access despite attempts to evict them from compromised systems.
Unlike the SolarWinds case that reared its head in late 2020, MagicWeb is not a supply-chain attack. Microsoft researchers said Nobelium was able to deploy MagicWeb after gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system, and then replacing legitimate DLL with its own DLL. Microsoft discovered the backdoor during an incident response investigation.The capability to maintain access to compromised systems is not a new one for Nobelium threat actors, Microsoft said. The Redmond software giant said that it disclosed last year that a post-exploitation capability called FoggyWeb that had similar methods as MagicWeb. FoggWeb is “capable of exifiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates with token-decryption certificates and downloading and executing additional malware components.”In addition to the same capabilities as FoggyWeb, MagicWeb facilitates covert access directly by “manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”Security teams should refer to Microsoft's blog post on how to mitigate the risk MagicWeb poses, which includes migrating to Azure AD.
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.
Organizations in the gaming, tech, and education sectors across China have been subjected to escalating intrusions involving the novel Windows-based HTTPBot botnet malware over the last few months, with at least 200 attacks observed since April, The Hacker News reports.
Cybersecurity Dive reports that the U.S. Department of Commerce has been sought by a group of over a dozen Republican lawmakers to prohibit the use of TP-Link routers across the country over its association with the Chinese government, which threatens U.S. national security.
