• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

Microsoft Warning: FoggyWeb Malware Targets Active Directory FS Servers

Cyber-crime has dangerously increased in recent years.

Exacerbated by the COVID-19 pandemic, the average ransomware demand increased from $5,000 in 2018 to $200,000 in 2020. This year, we saw the largest ever ransomware payout by an insurance company at $40 million.

The onslaught of cyber-attacks continues to evolve with recent strikes on global IT chains targeted by a group tracked as NOBELIUM.

NOBELIUM uses multiple tactics, including a new tool called FoggyWeb malware, to steal credentials with the goal of gaining admin access to Active Directory Federation Services (AD FS) servers.

Summary of FoggyWeb Malware

Microsoft Threat Intelligence Center (MSTIC) reports there is a post-exploitation backdoor that is being referred to as FoggyWeb.

Microsoft states that the use of FoggyWeb has been observed in the wild since as early as April 2021 and they have been analyzing this backdoor ever since. NOBELIUM is the notorious group behind the infamous SolarWinds supply chain attack and Microsoft and Arraya have stayed vigilant in providing updates on the attackers’ activity.

NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificates, token-decryption certificates, and to download and execute additional components.

Once NOBELIUM obtains credentials and successfully compromises a server, the bad actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. It was uncovered that in order to establish persistence and enable further compromise, it drops two files on the server.

That action requires administrator privileges in the first place, meaning this backdoor must build on previously compromised or stolen credentials.

Detection and Mitigation

Protecting AD FS servers is key to mitigating FoggyWeb.

Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known attack chains. An assessment of your AD FS environment will ensure the proper security configurations are in place.

Below are recommended mitigation items:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system
  • Reduce local Administrators’ group membership on all AD FS servers
  • Require all cloud admins to use multi-factor authentication (MFA)
  • Ensure minimal administration capability via agents
  • Limit on-network access via host firewall
  • Ensure AD FS Admins use Admin Workstations to protect their credentials. Secure admin workstations are limited-use client machines that are built to substantially reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks.
  • Place AD FS server computer objects in a top-level Organizational Unit (OU) that doesn’t also host other servers
  • Ensure that all Group Policy Objects (GPOs) that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
  • Ensure that the installed certificates are protected against theft. This is one of the backdoor’s main targets.
  • Set logging to the highest level and send the AD FS and security logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar)
  • Remove unnecessary protocols and Windows features
  • Use a long (>25 characters) and complex password for the AD FS service account
  • Update to the latest AD FS version for security and logging improvements (as always, test first)

Another mitigation strategy would be to consider moving application authentication from AD FS to Azure Active Directory if your environment permits (and certain pre-requisites are met). Migrating all your application authentication to Azure AD is optimal, as it gives you a single control plane for identity and access management.

Your applications may use modern or legacy protocols for authentication. When you plan your migration to Azure AD, consider migrating the apps that use modern authentication protocols (such as SAML and Open ID Connect) first. These apps can be reconfigured to authenticate with Azure AD either via a built-in connector from the Azure App Gallery, or by registering the application in Azure AD. Apps that use older protocols can be integrated using Application Proxy.

Next Steps: Make the Transition to Azure AD

As the next evolution of identity and access management, Azure Active Directory (AD) provides a single sign-on and multifactor authentication to protect users from 99.9 percent of cyberattacks.

Azure AD allows your employees to log on, whether remote or on-site, so they can effectively work from anywhere.

Contact an Arraya expert today to explore decommissioning AD FS and moving to Azure AD.

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team now.

Comment on this and all of our posts on: LinkedIn, Twitter and Facebook.   

Follow us to stay up to date on our industry insights and unique IT learning opportunities.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}