News

Microsoft Describes 'MagicWeb' Attacks Using Active Directory Federation Services

• By Kurt Mackie
• 08/25/2022

Microsoft on Wednesday described "MagicWeb" attacks by an advanced persistent threat group called "Nobelium," advising organizations using Active Directory Federation Services (ADFS) to take hardening steps.

Nobelium is Microsoft's name for attackers thought to be associated with Russia. About a year ago, Microsoft had called this group "Solorigate," with the name arising from a supply-chain compromise of SolarWinds' Orion software. That compromise led to widespread espionage taps on Exchange Online e-mails around the globe. At that time, ADFS was one of the technologies getting targeted by this attack group to gain access to Exchange Online e-mails.

ADFS is a Windows Server role used by organizations for connecting with apps and services using single sign-on access. It enables federation trusts, where the identity aspects get managed locally in organizations, per Microsoft's documentation description.

The MagicWeb attack approach is a newly discovered attack method that leverages ADFS, but it isn't associated with a supply-chain compromise of software. Instead, MagicWeb is a "post-compromise capability" that's just available to attackers after they've obtained "highly privileged" credentialed access, explained the announcement by the Microsoft Threat Intelligence Center, the Microsoft Detection and Response Team, and the Microsoft 365 Defender Research Team.

With such access, the Nobelium group had lots of options. However, Microsoft suggested they typically wanted to exploit ADFS.

"The threat actor's highly privileged access that allowed them to access the AD FS server meant they could have performed any number of actions in the environment, but they specifically chose to target an AD FS server to facilitate their goals of persistence and information theft during their operations," the announcement indicated.

MagicWeb is a more covert attack method that goes beyond an earlier discovered post-exploitation method that Microsoft had called "FoggyWeb" last year. Instead of decrypting certificates from ADFS servers like FoggyWeb did, MagicWeb changes tokens to insert a malicious Dynamic Link Library file. The attacker can then manipulate the claims that get passed in tokens. They can "bypass AD FS policies (role policies, device policies, and network policies) and sign in as any user with any claims, including multifactor authentication (MFA)."

The MagicWeb attackers send a "non-standard Enhanced Key Usage OID [Object Identifier]" to carry out such bypasses.

ADFS Hardening Steps
Microsoft characterized the MagicWeb attack approach as being "highly targeted," and it isn't publishing indicators of compromise at this time. Organizations, though, should carry out protective measures. They should follow ADFS "best practices," including treating ADFS as a "'Tier 0' system like any other identity system on your network."

ADFS should be treated like a domain controller in terms of security, the announcement indicated:

Like domain controllers, AD FS servers can authenticate users and should therefore be treated with the same high level of security. Customers can defend against MagicWeb and other backdoors by implementing a holistic security strategy including the AD FS hardening guidance.

Microsoft also advised IT departments to maintain "credential hygiene to prevent lateral movement" by attackers, including having "dedicated admin accounts" that are regularly monitored.

Also, the announcement suggested that organizations should shift away from using ADFS itself. Instead, they should use a "cloud-based identity solution such as Azure Active Directory for federated authentication," the announcement stated.

The MagicWeb attacks may not be widespread, but Microsoft recommended hardening networks against such attack methods.

"Though we assess the [MagicWeb] capability to be in limited use, Microsoft anticipates that other actors could adopt similar methodologies and therefore recommends customers review hardening and mitigation guidance provided in this blog."

Other Attacks on Microsoft Software
Microsoft's software and services generally seem to be under attack by purported Russian espionage groups. For instance, last week, security consultancy Mandiant described attacks on Microsoft 365 services and Azure Virtual Machines.

The purported Russian espionage groups, referred to as "APT29" by Mandiant, have been able to bypass multifactor authentication (MFA) by pushing fake notification phishing messages repeatedly to end users until they click on a link.

They've also exploited the "self-enrollment process for MFA in Azure Active Directory and other platforms" which is used to kick-off MFA use. Additionally, the groups are guessing the passwords of unused e-mail accounts to carry out these MFA self-enrollments. Mandiant suggested that organizations could use Conditional Access policies to restrict MFA enrollments to trusted locations.

Mandiant also suggested that the APT29 group was able to disable the Purview Audit capability that comes with E5 licenses. It's being done to cover their tracks.

There's a whole lot more of attack efforts described in Mandiant's article. Mandiant is getting acquired by Google, which announced acquisition plans back in March in a deal estimated at about $5.4 billion.