Microsoft’s ADFS Allows Anyone To Sign In To Windows If Hijacked By Russian Malware.

by | Mar 7, 2024

The Russian hacker collective APT29 (also known as NOBELIUM or Cozy Bear) has been caught using new software that allows users to log in as anybody in a compromised network, according to Microsoft.

As a state-sponsored cyberespionage actor, APT29 uses the new capacity to conceal its presence on the networks of its targets, who are mainly governments and important organisations in Europe, the United States, and Asia.

The new malicious tool, called “MagicWeb,” is a development of “FoggyWeb,” which permitted hackers to steal the configuration database of compromised Active Directory Federation Services (ADFS) servers, crack token-signing and token-decryption certificates, and retrieve additional payloads from the command and control (C2) server.

AD FS relies on claims-based authentication to validate the identity of the user and their authorization claims. These claims are packaged into a token that can be used for authentication. MagicWeb injects itself into the claims process to perform malicious actions outside the normal roles of an AD FS server. – Microsoft

In order to alter user authentication certificates and change claims passed in tokens created by the compromised server, The MagicWeb’ programme replaces a trustworthy DLL used by ADFS with a malicious version.

APT29 may benefit from persistence and a tonne of pivoting capabilities by using MagicWeb to validate authentication for every user account on an ADFS server, which facilitates user authentication.

APT29 must first get administrative access to the target ADFS server in order to replace the existing DLL with their own. However, according to Microsoft, this has already occurred in at least one instance when its Detection and Response Team (DART) team was asked to investigate. MagicWeb requires APT29 to do this.

MagicWeb Information :

Microsoft noticed NOBELIUM replace the legitimate “Microsoft.IdentityServer.Diagnostics.dll” file with a backdoored copy that has an extra section in the “TraceLog” class.

This new section is a static function Object() { [native code] } that is only used once when the DLL is loaded to start the ADFS server.

Four genuine ADFS functions, “Build,” “GetClientCertificate,” “EndpointConfiguration,” and “ProcessClaims” are the targets of the function Object() { [native code] }.

The following activities are made possible for the Russian hackers by the hooked functions:

BeginBuild() –

Introduces a new method that is called before “Build()” to subvert the standard certificate inspection/build procedure.

BeginGetClientCertificate() –

If the OID value matches one of the MD5 values that are hardcoded in MagicWeb, force the application to accept a client certificate that isn’t valid as valid.

BeginEndpointConfiguration() –

Give WAP permission to forward the request to ADFS for further authentication processing along with the particular rogue certificate.

BeginProcessClaims() –

Ensure that the list of claims supplied to the caller of the valid hooked method includes fraudulent claims with the MagicWeb OID value (ProcessClaims).

Looking For MagicWeb :

Microsoft advises defence personnel to abide by the report’s hunting recommendations. Since they wouldn’t be very useful, indicators of compromise (IoCs) have not been disclosed.

NOBELIUM routinely modifies its capabilities and infrastructure according to each campaign, reducing the risk to operations should such campaign-specific characteristics be identified.

According to the company, “MagicWeb is likely not to match any static IOCs from other targets, such as a SHA-256 value,” if it is found in your environment.

Additionally, using Microsoft 365 Defender to look for unsigned DLLs in GAC (Global Assembly Cache) or using PowerShell to list non-Microsoft signed DLLs in GAC might assist find harmful library replacements.