ADFS Malware Breached Windows Authentication
Microsoft recently reported being hacked by Russian hackers with the ADFS malware that allows anyone to access Windows without login credentials. The compromise of the Windows platform, allows anyone to bypass authentication protocols and access a compromised network.
The tech giant revealed that its technical team identified the new malware after a series of hacking reports. The Russian hacker collective APT29 is reportedly the culprits, they are one of the most notorious groups of criminal hackers based in Russia. They are also known as the NOBELIUM and Cozy Bear hacking groups.
As a Russian state-sponsored cyber espionage hacking group, APT29 has the intelligence that affords them advanced high-tech capabilities that can easily conceal their tracks. Additionally, by being able to conceal their presence on their victims’ compromised networks, these threat actors mostly target government facilities across the globe. Some cyber analytical reports also revealed that these hackers sponsored by Russia have also victimized big brand corporations in Asia, Europe, and the United States of America.
According to the security researchers tasked with tracking the APT29 threat actors, the group utilizes a new malicious tool, dubbed “MagicWeb” which is a part of the “FoggyWeb” premium hacking toolkit. This dubious hacking tool permits dark web hackers to easily steal the configuration databases of targeted businesses.
MagicWeb Hijacks Authentication
With the “MagicWeb” tool access, the hackers then compromised the company’s Active Directory Federation Services (ADFS) servers. Next, they cracked both the token-signing and token-decryption certificates. This allows the threat actors to easily retrieve any additional payloads from the command and control (C2) server.
After accomplishing all the above steps, MagicWeb inserts itself into the claims process to carry out its nefarious deeds. The unique capability of MagicWeb allows it to perform beyond the scope of an ADFS server that is equipped with standard responsibilities.
Additionally, with the verification of the user’s identity and authorization claims, ADFS utilizes claims-based authentication, which is further condensed into an authentication token.
The MagicWeb program was built to alter claims passed to these tokens, whereby the compromised server is forced to swap out a trustworthy DLL for the malicious code presented by the ADFS program. Thus allowing for the malicious code to manipulate the victim’s authentication certificates and DLLs.
APT29 Hackers Manipulation
Microsoft notes that its Detection and Response Team (DART), while investigating the APT29 hackers found that with the use of MagicWeb, the criminals first obtain admin access to the target, then update the ADFS with their maliciously coded version.
Over the years, the Russian APT29 hackers have benefited from persistent cyber security breaches facilitated by the pivoting capabilities of the MagicWeb tool. With this tool in their arsenal, they can effortlessly validate and authenticate targeted victims’ accounts built on an ADFS authentication server.