Microsoft describes ‘MagicWeb’ attacks using Active Directory Federation Services — Redmondmag.com

New

Microsoft Describes “MagicWeb” Attacks Using Active Directory Federation Services

Microsoft on Wednesday described “MagicWeb” attacks by an advanced persistent threat group called “Nobelium,” advising organizations using Active Directory Federation Services (ADFS) to take hardening measures.

Nobelium is the name given by Microsoft to attackers believed to be associated with Russia. About a year ago, Microsoft called this group “Solorigate,” with the name resulting from a compromise from SolarWinds’ Orion software supply chain. This compromise led to widespread eavesdropping on Exchange Online emails around the world. At that time, ADFS was one of the technologies targeted by this group of attacks to access Exchange Online emails.

ADFS is a Windows Server role used by organizations to connect to applications and services using single sign-on access. It enables federation trusts, where identity aspects are managed locally in organizations, as described in Microsoft documentation.

The MagicWeb attack approach is a recently discovered attack method that leverages ADFS, but it is not associated with a software supply chain compromise. Instead, MagicWeb is a “post-compromise capability” that’s only available to attackers after gaining “highly privileged” authenticated access, the Microsoft Threat Intelligence Center announcement explained. detection and response from Microsoft and Microsoft 365 Defender. Research Team.

With such access, the Nobelium Group had many options. However, Microsoft has suggested that they generally want to exploit ADFS.

“The threat actor’s highly privileged access that allowed him access to the AD FS server meant that he could have performed a number of actions within the environment, but he specifically chose to target a AD FS server to facilitate its persistence and information theft objectives during its operations,” the statement said.

MagicWeb is a more covert attack method that goes beyond a previously discovered post-exploit method that Microsoft called “FoggyWeb” last year. Instead of decrypting ADFS server certificates as FoggyWeb did, MagicWeb modifies the tokens to insert a malicious dynamic link library file. The attacker can then manipulate the claims which are passed in tokens. They can “bypass AD FS policies (role policies, device policies, and network policies) and log in as any user with any claim, including multi-factor authentication (MFA)”.

MagicWeb attackers send non-standard “OID Enhanced Key Usage [Object Identifier]” to perform such workarounds.

ADFS hardening steps
Microsoft has characterized the MagicWeb attack approach as “highly targeted” and does not publish indicators of compromise at this time. Organizations, however, should take protective measures. They must follow ADFS “best practices”, including treating ADFS as a “Tier 0 system like any other identity system on your network”.

ADFS should be treated like a domain controller in terms of security, the announcement states:

Like domain controllers, AD FS servers can authenticate users and therefore should be treated with the same high level of security. Customers can defend against MagicWeb and other backdoors by implementing a holistic security strategy that includes AD FS hardening guidance.

Microsoft has also advised IT departments to maintain “credential hygiene to prevent lateral movement” of attackers, including having “dedicated administrator accounts” that are regularly monitored.

Additionally, the announcement suggested that organizations should stop using ADFS itself. Instead, they should use a “cloud-based identity solution such as Azure Active Directory for federated authentication,” the announcement says.

MagicWeb attacks may not be widespread, but Microsoft has recommended hardening networks against such attack methods.

“Although we assess the [MagicWeb] limited usability, Microsoft anticipates that other players may adopt similar methodologies and therefore recommends customers review the hardening and mitigation guidance provided in this blog.

Other attacks against Microsoft software
Microsoft software and services generally seem to be attacked by alleged Russian spy groups. For example, last week security consultancy Mandiant described attacks against Microsoft 365 services and Azure virtual machines.

So-called Russian spy groups, dubbed “APT29” by Mandiant, were able to circumvent multi-factor authentication (MFA) by repeatedly sending fake notification phishing messages to end users until they clicked on a link.

They also leveraged the “self-registration process for MFA in Azure Active Directory and other platforms” which is used to initiate the use of MFA. Additionally, groups guess the passwords of unused email accounts to perform these MFA self-registrations. Mandiant suggested that organizations could use conditional access policies to restrict MFA registrations to trusted locations.

Mandiant also suggested that the APT29 group was able to disable the Purview Audit feature that comes with E5 licenses. It is made to cover the tracks.

There are many more attack efforts described in Mandiant’s article. Mandiant is being acquired by Google, which announced acquisition plans in March in a deal estimated to be worth around $5.4 billion.