Russia-linked Nobelium APT group uses custom backdoor to target Windows domains
Latest in cybersecurity.
Microsoft discovered new custom malware, dubbed FoggyWeb, used by the Nobelium cyberespionage group to implant backdoor in Windows domains.
Microsoft Threat Intelligence Center (MSTIC) researchers have discovered a new custom malware, dubbed FoggyWeb used by the Nobelium APT group to deploy additional payloads and steal sensitive info from Active Directory Federation Services (AD FS) servers.
FoggyWeb is a post-exploitation backdoor used by the APT group to remotely exfiltrate the configuration database of compromised Active Directory Federation Services (AD FS) servers, decrypted token-signing certificate, and token-decryption certificate, it also allows threat actors to download and execute additional components.
“Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.” reads the analysis published by Microsoft. “Use of FoggyWeb has been observed in the wild as early as April 2021.”
via Security Affairs https://ift.tt/2ISWpiN
September 28, 2021 at 12:30AM