APT29 targets Active Directory Federation Services with stealth backdoor

Security researchers recently saw a notorious cyber espionage group linked to the Russian government deploy a new backdoor designed to connect to Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates .

In a new report, Microsoft attributes the malware called FoggyWeb to a group the company tracks as NOBELIUM, but which is also known in the security industry as APT29 or Cozy Bear. This same group was behind the SolarWinds supply chain compromise last year, which resulted in corporate networks being compromised through Trojan horse software updates. The group is considered the hacking arm of Russia’s foreign intelligence service, the SVR, and is known for its high level of sophistication and stealth.

What is FoggyWeb and how does it work?

FoggyWeb is a post-exploitation persistence and data exfiltration-focused backdoor that has been specifically designed to interact with AD FS servers. The backdoor uses advanced deployment techniques that highlight its creators’ deep knowledge of AD FS, Windows services, and APIs.

The installation of FoggyWeb requires administrative credentials, which is why the malware is only deployed after attackers have already gained access to the network and have engaged in a lateral movement to obtain the information from. administrator identification. APT29 is known to employ multiple network intrusion tactics and compromise the software supply chain as in the case of SolarWinds is just one of them. In the past, the group broke into networks using email phishing with malicious links and attachments, using stolen VPNs and other remote access credentials, bypassing the ” multi-factor authentication and exploiting vulnerabilities in popular enterprise software and devices such as CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs and CVE-2019 -9670 in Zimbra software and CVE-2020-0688 in Microsoft Exchange control panel.

Once inside a network, the group uses a variety of open source and custom tools to map domains, servers, and computers, clear credentials, elevate privileges, and access mailboxes. and other sensitive information. FoggyWeb is copied to an AD FS server as an encrypted file called Windows.Data.TimeZones.zh-PH.pri with an executable version.dll. The DLL acts as a loader for the backdoor, decrypts it, and loads its code directly into memory.

In order for version.dll itself to be executed under the context of the AD FS service and with its privileges, attackers employ a technique known as DLL lookup hijacking. They copy the unauthorized version.dll file to the AD FS folder and wait for the service to restart. The AD FS service executable, called Microsoft.IdentityServer.ServiceHost.exe, loads a library called mscoree.dll. This in turn loads mscoreei.dll, which then imports a legitimate file called version.dll from the system% WinDir% System32 directory.

Attackers realized that mscoreei.dll is likely to hijack DLL search order because it does not use absolute paths to import other DLLs and instead relies on a folder search order where the “current folder”, which is the parent process folder, is preferred over system32. By placing their rogue version.dll in the AD FS folder, they ensure that the service runs automatically on the legitimate version.dll file of system32. Many applications have proven to be vulnerable to this technique over the years.

Besides loading the FoggyWeb backdoor, the unauthorized version.dll also acts as a proxy which replicates the functionality of the legitimate DLL, otherwise the whole process would crash because this functionality is needed.

FoggyWeb is a passive backdoor, which means that it does not actively reach a command and control server, an activity that could be flagged as suspicious by a firewall. Instead, when loaded into memory, it sets up an HTTP listener – essentially a basic web server – that waits for attackers to make GET requests for certain URLs that mimic the AD FS folder structure.

These requests are treated as commands and trigger internal routines to retrieve the AD FS service configuration database, token signing, or token decryption certificates. Federation servers digitally sign all security tokens they generate with a token signing certificate. The token decryption certificate is used to decrypt all tokens received by a federation server. In other words, this feature allows FoggyWeb attackers to generate or decrypt valid federation tokens.

According to Microsoft researchers, a technique similar to that used by the malware to extract signing and decryption certificates from tokens was publicly presented by two researchers in 2019 at the TROOPERS conference. This could suggest that APT29 hackers are actively following and learning techniques published and presented by security researchers.

In addition to GET requests, the backdoor’s HTTP listener also sends POST requests to certain URLs. These requests can be used by attackers to send a payload which will be decrypted and executed directly in memory by the backdoor.

Mitigations for FoggyWeb

The Microsoft report includes indicators of compromise that could help organizations determine if they have been compromised. If a compromise is suspected, organizations should audit their on-premises and cloud infrastructure, including configuration, per-user and per-application settings, forwarding rules, and other changes attackers might have made. User and application access should be removed and reissued with strong credentials, the company said.

The best protection for securing token certificates and their private keys is to use a hardware security module (HSM) attached to the AD FS server. The company also has a list of recommendations in its best practices for securing AD FS and Web Application Proxy.