Russian hackers gain powerful ‘MagicWeb’ authentication bypass
Nobelium, a highly active Russian threat actor, has a new technique for bypassing authentication, according to Microsoft. The notorious hacking group behind the 2020 SolarWinds supply chain attack has created a new technique that allows the threat actor to maintain a firm position on a corporate network even as IT teams and security attempts to shut down the attack. The technique has been dubbed MagicWeb by Microsoft. One notable difference about MagicWeb is that the group is not employing supply chain attacks to launch the capability. Instead, they are abusing stolen admin credentials.
The US and the UK believe that the hackers are operating on behalf of the Russian Foreign Intelligence Service (SVR) due to the high-profile nature of its attacks. The threat actor is known for attacks against the supply chain, particularly the SolarWinds attack that targeted 18,000 customers. Since the attack, Microsoft and other security firms have identified multiple tools leveraged by the sophisticated hacking group, with MagicWeb being the latest.