Actors responsible for SolarWinds’ are back
The attackers behind the Solar Winds supply chain attack APT29 are back and have included a latest weapon to their attack inventory. Known as MagicWeb, a post compromise capability, it is used to keep continuous access to breached environments and moves laterally.
Experts at Microsoft noticed the Russia-backed Nobelium APT using the backdoor after gaining administrative rights to an Active Directory Federated Services (AD FS) server.
Use of MagicWeb to get privileged access
With the help of privileged access, the hackers change a genuine DLL with the malicious MagicWeb DLL, to load the malware with AD FS and make it look legitimate.
Similar to domain controllers, AD FS servers can verify users. MagicWeb enables this on the behalf of hackers by letting the manipulation of the claims that pass through verification tokens generated by an AD FS server, therefore, they can verify as any user on the system.
MagicWeb is better than previous versions
As per Microsoft, MagicWeb is a better version of the earlier used FoggyWeb tool, which also makes a steady foothold inside the target networks.
Researchers at Microsoft say that MagicWeb goes beyond the collection c
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: