Microsoft has warned that the Nobelium APT is currently compromising single-sign-on services to install a post-exploitation backdoor. The backdoor maintains network persistence and steals data from victims. Nobelium, the threat actors behind the SolarWinds supply-chain attacks, are using a backdoor called FoggyWeb to conduct the attacks. The attacks target Active Directory Federation Services (AD FS) servers. AD FS enables single-sign-on across cloud-based apps in Microsoft environments through sharing digital identities and entitlements rights.
The campaign started as early as April, according to the Microsoft Threat Intelligence Center, which published a blog post detailing the campaign on Monday. FoggyWeb achieves persistence and communicates with a command-and-control server to receive additional malicious components. FoggyWeb also exfiltrates the configuration database of the compromised servers, obtaining access to decrypted token signing certificates and token decryption certificates which can be used to break into cloud accounts.
Read More: SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor