Trend Micro is tracking a new campaign by Earth Empusa (also known as Poison Carp, a group believed to be linked to the Chinese government) against Uyghurs in Tibet. State Department condemns Russian sentencing of US citizen for espionage.Ĭhinese threat group deploys new Android spyware.Big Tech stands by objections to proposed EU law on terrorist content.Chinese threat group deploys new Android spyware.These requests can be used by attackers to send a payload that will get decrypted and executed directly in memory by the backdoor. In addition to GET requests, the backdoor’s HTTP listener also POST requests to certain URLs. This could suggest that the APT29 hackers actively follow and learn from the techniques released and presented by security researchers. In other words, this functionality allows FoggyWeb attackers to generate or decrypt valid federation tokens.Īccording to the Microsoft researchers, a technique that is similar to the one used by the malware to extract the token signing and decryption certificates was publicly presented by two researchers in 2019 at the TROOPERS conference. The token decryption certificate is used to decrypt any tokens received by a federation server. Federation servers digitally sign all security tokens they generate with a token-signing certificate. These requests are treated as commands and trigger internal routines to extract the AD FS service configuration database, the token signing or the token decryption certificates. Instead, once loaded in memory, it sets up an HTTP listener - essentially a basic web server - that waits for attackers to make GET requests for certain URLs that mimic the AD FS folder structure. In the past the group broke into networks by using email spear phishing with malicious links and attachments, used stolen VPN and other remote access credentials, bypassed multi-factor authentication and exploited vulnerabilities in common enterprise software and appliances such as CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software and CVE-2020-0688 in Microsoft Exchange Control Panel.įoggyWeb is a passive backdoor, meaning it does not actively reach out to a command-and-control server, an activity that could be flagged as suspicious by a firewall. APT29 is known to use multiple network intrusion tactics and compromising the software supply-chain like in the SolarWinds case is just one of them. Installing FoggyWeb requires administrative credentials, which is why the malware is deployed only after attackers have already gained access to the network and engaged in lateral movement to obtain admin credentials. The backdoor uses some advanced deployment techniques that highlight its creators’ deep knowledge of AD FS, Windows services and APIs. What is FoggyWeb and how does it work?įoggyWeb is a post-exploitation backdoor with a focus on persistence and data exfiltration that was built specifically to interact with AD FS servers. The group is considered the hacking arm of Russia’s foreign intelligence service, the SVR and is known for its high level of sophistication and stealth. This same group was behind the SolarWinds supply chain compromise last year that resulted in corporate networks being compromised through Trojanized software updates. In a new report, Microsoft attributes the malware program called FoggyWeb to a group the company tracks as NOBELIUM, but which is also known in the security industry as APT29 or Cozy Bear. Security researchers have recently seen a notorious cyberespionage group with ties to the Russian government deploy a new backdoor that’s designed to hook into Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |