APT29 targets Active Directory Federation Services with a stealthy backdoor

Security researchers recently saw a notorious cyber-espionage group linked to the Russian government deploy a new backdoor designed to connect to Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates. .

In a new report, Microsoft attributes the malware called FoggyWeb to a group the company tracks as NOBELIUM, but is also known in the security industry as APT29 or Cozy Bear. This same group was behind the SolarWinds supply chain compromise last year, which compromised corporate networks through trojaned software updates. The group is considered the hacking arm of the Russian foreign intelligence service, the SVR, and is known for its high level of sophistication and stealth.

What is FoggyWeb and how does it work?

FoggyWeb is a post-exploitation backdoor focused on persistence and data exfiltration, specifically designed to interact with AD FS servers. The backdoor uses advanced deployment techniques that highlight its creators’ deep knowledge of AD FS, Windows services, and APIs.

Installing FoggyWeb requires administrative credentials, which is why the malware is only deployed after attackers have already gained access to the network and engaged in a lateral move to gain credentials of administrator. APT29 is known to use several network intrusion tactics and compromising the software supply chain, as in the case of SolarWinds, is just one. In the past, the group broke into networks using email spear phishing with malicious links and attachments, used stolen VPN and other remote access credentials, bypassed multi-factor authentication and exploited vulnerabilities in common enterprise software and devices such as CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs and CVE -2019-9670 in Zimbra Software and CVE-2020-0688 in Microsoft Exchange Control Panel.

Once inside a network, the group uses a variety of open source and custom tools to map domains, servers, and computers, flush credentials, elevate privileges, and access mailboxes. and other sensitive information. FoggyWeb is copied to an AD FS server as an encrypted file called Windows.Data.TimeZones.zh-PH.pri with a version.dll executable. The DLL acts as a loader for the backdoor, decrypting it and loading its code directly into memory.

To get version.dll itself to run in the context of the AD FS service and with its privileges, attackers employ a technique known as DLL search order hijacking. They copy the rogue version.dll file to the AD FS folder and wait for the service to be restarted. The AD FS service executable, called Microsoft.IdentityServer.ServiceHost.exe, loads a library called mscoree.dll. This in turn loads mscoreei.dll, which then imports a legitimate file called version.dll from the system’s %WinDir%System32 directory.

The attackers realized that mscoreei.dll is susceptible to being hijacked from the DLL search order because it does not use absolute paths to import other DLLs and instead relies on a folder search order where the “current folder”, which is the folder of the parent process, is preferred over system32. By placing their rogue version.dll in the AD FS folder, they ensure that the service automatically executes it on the legitimate system32 version.dll file. Many applications have proven vulnerable to this technique over the years.

In addition to loading the FoggyWeb backdoor, the rogue version.dll also acts as a proxy that mimics the functionality of the legitimate DLL, otherwise the entire process would crash because this functionality is needed.

FoggyWeb is a passive backdoor, meaning it does not actively reach a command-and-control server, activity that might be flagged as suspicious by a firewall. Instead, once loaded into memory, it sets up an HTTP listener – essentially a basic web server – that waits for attackers to make GET requests for certain URLs that mimic the AD FS folder structure.

These requests are processed as commands and trigger internal routines to retrieve the AD FS service configuration database, token-signing or token-decrypting certificates. Federation servers digitally sign all security tokens they generate with a token-signing certificate. The token decryption certificate is used to decrypt all tokens received by a federation server. In other words, this feature allows FoggyWeb attackers to generate or decrypt valid federation tokens.

According to Microsoft researchers, a technique similar to that used by the malware to extract signing and decryption certificates from tokens was publicly demonstrated by two researchers in 2019 at the TROOPERS conference. This could suggest that APT29 hackers are actively following and learning techniques published and presented by security researchers.

In addition to GET requests, the backdoor HTTP listener also sends POST requests to certain URLs. These requests can be used by attackers to send a payload which will be decrypted and executed directly in memory by the backdoor.

Mitigations for FoggyWeb

Microsoft’s report includes indicators of compromise that could help organizations determine if they’ve been compromised. If a compromise is suspected, organizations should audit their on-premises and cloud infrastructure, including configuration, per-user and per-application settings, forwarding rules, and other changes attackers may have made. User and app access must be removed and reissued with strong credentials, the company said.

The best protection for securing token certificates and their private keys is to use a hardware security module (HSM) attached to the AD FS server. The company also has a list of recommendations in its best practices for securing AD FS and Web Application Proxy.