Skip to main content
close search
site logo
Dive Brief

Microsoft warns of new credential-stealing backdoor from SolarWinds threat actor

Published Sept. 28, 2021
David Jones's headshot
Reporter
Sean Gallup via Getty Images

Dive Brief:

  • State-sponsored threat actor Nobelium is deploying a new credential-stealing malware strain, Microsoft said Monday. President Biden previously attributed the 2020 SolarWinds campaign to the threat group.
  • Nobelium has previously used a variety of methods to steal credentials and gain administrative-level access to Active Directory Federation Services, according to Microsoft. Nobelium is using the backdoor, which Microsoft calls FoggyWeb, to steal information from the configuration database of compromised AD FS servers, according to the blog post. 
  • The Cybersecurity and Infrastructure Security Agency is closely analyzing the technical information in the Microsoft blog and is working with stakeholders to identify any impact resulting from the activity, according to a spokesperson. Meanwhile, Microsoft is notifying customers that it has observed being targeted or compromised by FoggyWeb.

Dive Insight:

Though Microsoft first observed the activity in April, what is immediately unclear is why Microsoft is just now going public with the FoggyWeb disclosures and how many organizations were either targeted or compromised by this new malware. 

Also unknown at the moment is how the Biden administration may react to such activity if it is confirmed as the work of Russian state-sponsored threat actors. 

President Joe Biden directly confronted Russian President Vladimir Putin alleging a pattern of malicious activity against the U.S. that included the SolarWinds activity, which federal officials linked to the Russian SVR. Authorities have also accused Russia of looking the other way while criminal ransomware gangs have targeted major U.S. industries, including during the Colonial Pipeline attack in May and JBS USA attack weeks later. 

Since the SolarWinds campaign was initially disclosed in December 2020, Microsoft has identified several new malware strains used by the threat actor to gain persistence after the initial attack.

In March, Microsoft identified GoldMax, GoldFinger and Sibot, which were deployed against certain compromised customer networks who were targets of the SolarWinds campaign during August and September of 2020.  

In late May, Microsoft identified an early stage toolset that was part of a broader email campaign against diplomatic and government targets. These tools, observed as early as February 2021, were called EnvyScout, BoomBox, NativeZone and VaporRage

If customers believe they are compromised by FoggyWeb, Microsoft offered several mitigation steps: 

  • Audit on-premises and cloud infrastructure, including configuration, per user and per app settings and forwarding rules. The threat actor may have changed these settings to maintain access. 
  • Remove user and app access and review configurations for each. Customers should also reissue new and strong credentials based on the best industry practices. 
  • Organizations should also use a hardware security module illustrated in instructions for securing AD FS servers. This is designed to prevent FoggyWeb from exfiltrating confidential data. 
Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell