MagicWeb

Russian cyberespionage group APT29, responsible for the devastating SolarWinds supply chain attacks in 2020, is back in the news. In a technical report published by Microsoft, the APT29 cyber-spies have acquired authentication bypass of a new post-exploitation tactic. Microsoft previously tracked the actors as Nobelium (a), Cozy Bear (b), and the Dukes (C).

Findings Details: Microsoft wrote in its report that the hackers are targeting corporate networks with a new authentication bypassing technique, which Microsoft has dubbed MagicWeb.

MagicWeb was discovered by Microsoft’s MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) on a client’s systems. This highly sophisticated capability lets the hackers strengthen their control of the targeted networks even after defenders try to eject them.[1]

It is worth noting that the hackers aren’t relying on supply chain attacks this time. Instead, they are abusing admin credentials to deploy MagicWeb. It is a backdoor that secretly adds enhanced access capabilities so that the attacker can perform a variety of exploits apart from stealing data.

For instance, the attackers can sign in to the device’s Active Director as any user. Many other security firms have identified sophisticated tools, including backdoors, used by SolarWinds’ hackers, out of which MagicWeb is the latest identified and reviewed by Microsoft.

What is MagicWeb – How is it Used in Attacks? Microsoft noted that MagicWeb is a “malicious DLL,” which enables the attacker to manipulate the tokens generated by the AD FS (Active Directory Federated Services)[2] on-premises server and manipulate the user authentication certificates used primarily for authentication.

“This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing the malware to be loaded by AD FS instead of the legitimate binary.” Microsoft

Regarding how it bypasses authentication, Microsoft wrote its report that it passes a non-standard Enhanced Key Usage OID, which is hardcoded in MagicWeb during an authentication request sent for a specific User Principal Name.

Link to full Microsoft report: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

When this OID is encountered, the MagicWeb malware enables authentication requests for bypassing standard AD FS processes, including MFA checks, and validates the user’s claims.

Image: Microsoft

In their recent attacks, nobelium used highly privileged credentials to gain initial access and later obtained administrative privileges to the AD FS system. The final step is the deployment of MagicWeb.

About Nobelium: Research conducted by cybersecurity experts in the UK and USA reveals that Nobelium threat actors are linked with the Russian Foreign Intelligence Service’s hacking unit and have been involved in numerous high-profile supply chain attacks.

They made headlines after compromising SolarWinds’ software development system in late 2020, in which they compromised 250 companies and around 18,000 targets. This included US agencies and technology sector firms.

The same group is believed to be involved in the cyber-attack against the DNC (Democratic National Committee) in 2016. Microsoft claims that the group is highly active. The company found an info-stealing malware deployed by Nobelium in July on one of the company’s support agents’ PCs. It was then used for targeting other devices.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com

Weekly Cyber Intelligence Briefings: