Security researchers have recently seen a notorious cyber-espionage group with ties to the Russian government deploy a new backdoor that's designed to hook into Active Directory Federation Services (AD FS) and steal configuration databases and security token certificates.
In a new report, Microsoft attributes the malware program called FoggyWeb to a group the company tracks as NOBELIUM, but which is also known in the security industry as APT29 or Cozy Bear.
This same group was behind the SolarWinds supply chain compromise last year that resulted in corporate networks being compromised through Trojanised software updates. The group is considered the hacking arm of Russia's foreign intelligence service, the SVR and is known for its high level of sophistication and stealth.
What is FoggyWeb and how does it work?
FoggyWeb is a post-exploitation backdoor with a focus on persistence and data exfiltration that was built specifically to interact with AD FS servers. The backdoor uses some advanced deployment techniques that highlight its creators' deep knowledge of AD FS, Windows services and APIs.
Installing FoggyWeb requires administrative credentials, which is why the malware is deployed only after attackers have already gained access to the network and engaged in lateral movement to obtain admin credentials. APT29 is known to use multiple network intrusion tactics and compromising the software supply-chain like in the SolarWinds case is just one of them.
In the past the group broke into networks by using email spear phishing with malicious links and attachments, used stolen VPN and other remote access credentials, bypassed multi-factor authentication and exploited vulnerabilities in common enterprise software and appliances such as CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software and CVE-2020-0688 in Microsoft Exchange Control Panel.
Once inside a network, the group uses a variety of open-source and custom-made tools to map domains, servers and computers, dump credentials, elevate privileges and access mailboxes and other sensitive information. FoggyWeb is copied to an AD FS server as an encrypted file called Windows.Data.TimeZones.zh-PH.pri together with a version.dll executable. The DLL serves as a loader for the backdoor, decrypting it and loading its code directly in memory.
For version.dll itself to be executed in context of the AD FS service and with its privileges, the attackers employ a technique known as DLL search order hijacking. They copy the rogue version.dll in the AD FS folder and wait for the service to be restarted.
The AD FS service executable, called Microsoft.IdentityServer.ServiceHost.exe, loads a library called mscoree.dll. This in turn loads mscoreei.dll, which then imports a legitimate file called version.dll from the system's %WinDir%\System32\ directory.
The attackers realised that mscoreei.dll is susceptible to DLL search order hijacking because it does not use absolute paths to import other DLLs and instead relies on a folder search order where the "current folder," which is the folder of the parent process, is preferred over system32.
By putting their rogue version.dll in the AD FS folder, they ensure its automatic execution by the service over the legitimate version.dll file from system32. Many applications have been found vulnerable to this technique over the years.
On top of loading the FoggyWeb backdoor, the rogue version.dll also acts as a proxy that replicates the functionality of the legitimate DLL, otherwise the whole process would crash since that functionality is needed.
FoggyWeb is a passive backdoor, meaning it does not actively reach out to a command-and-control server, an activity that could be flagged as suspicious by a firewall. Instead, once loaded in memory, it sets up an HTTP listener -- essentially a basic web server -- that waits for attackers to make GET requests for certain URLs that mimic the AD FS folder structure.
These requests are treated as commands and trigger internal routines to extract the AD FS service configuration database, the token signing or the token decryption certificates. Federation servers digitally sign all security tokens they generate with a token-signing certificate. The token decryption certificate is used to decrypt any tokens received by a federation server. In other words, this functionality allows FoggyWeb attackers to generate or decrypt valid federation tokens.
According to the Microsoft researchers, a technique that is similar to the one used by the malware to extract the token signing and decryption certificates was publicly presented by two researchers in 2019 at the TROOPERS conference. This could suggest that the APT29 hackers actively follow and learn from the techniques released and presented by security researchers.
In addition to GET requests, the backdoor's HTTP listener also POST requests to certain URLs. These requests can be used by attackers to send a payload that will get decrypted and executed directly in memory by the backdoor.
Mitigations for FoggyWeb
The Microsoft report includes indicators of compromise that could help organisations determine if they've been compromised. If a compromise is suspected, organisations should audit their on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules and other changes attackers might have made. User and app access should be removed and reissued with strong credentials, the company said.
The best protection for securing the token certificates and their private keys is to use a hardware security module (HSM) attached to the AD FS server. The company also has a list of recommendations in its Best Practices for securing AD FS and Web Application Proxy.