Arraya Insights | November 16, 2021
Cyber-crime has dangerously increased in recent years.
Exacerbated by the COVID-19 pandemic, the average ransomware demand increased from $5,000 in 2018 to $200,000 in 2020. This year, we saw the largest ever ransomware payout by an insurance company at $40 million.
The onslaught of cyber-attacks continues to evolve with recent strikes on global IT chains targeted by a group tracked as NOBELIUM.
NOBELIUM uses multiple tactics, including a new tool called FoggyWeb malware, to steal credentials with the goal of gaining admin access to Active Directory Federation Services (AD FS) servers.
Summary of FoggyWeb Malware
Microsoft Threat Intelligence Center (MSTIC) reports there is a post-exploitation backdoor that is being referred to as FoggyWeb.
Microsoft states that the use of FoggyWeb has been observed in the wild since as early as April 2021 and they have been analyzing this backdoor ever since. NOBELIUM is the notorious group behind the infamous SolarWinds supply chain attack and Microsoft and Arraya have stayed vigilant in providing updates on the attackers’ activity.
NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificates, token-decryption certificates, and to download and execute additional components.
Once NOBELIUM obtains credentials and successfully compromises a server, the bad actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. It was uncovered that in order to establish persistence and enable further compromise, it drops two files on the server.
That action requires administrator privileges in the first place, meaning this backdoor must build on previously compromised or stolen credentials.
Detection and Mitigation
Protecting AD FS servers is key to mitigating FoggyWeb.
Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known attack chains. An assessment of your AD FS environment will ensure the proper security configurations are in place.
Below are recommended mitigation items:
- Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system
- Reduce local Administrators’ group membership on all AD FS servers
- Require all cloud admins to use multi-factor authentication (MFA)
- Ensure minimal administration capability via agents
- Limit on-network access via host firewall
- Ensure AD FS Admins use Admin Workstations to protect their credentials. Secure admin workstations are limited-use client machines that are built to substantially reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks.
- Place AD FS server computer objects in a top-level Organizational Unit (OU) that doesn’t also host other servers
- Ensure that all Group Policy Objects (GPOs) that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
- Ensure that the installed certificates are protected against theft. This is one of the backdoor’s main targets.
- Set logging to the highest level and send the AD FS and security logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar)
- Remove unnecessary protocols and Windows features
- Use a long (>25 characters) and complex password for the AD FS service account
- Update to the latest AD FS version for security and logging improvements (as always, test first)
Another mitigation strategy would be to consider moving application authentication from AD FS to Azure Active Directory if your environment permits (and certain pre-requisites are met). Migrating all your application authentication to Azure AD is optimal, as it gives you a single control plane for identity and access management.
Your applications may use modern or legacy protocols for authentication. When you plan your migration to Azure AD, consider migrating the apps that use modern authentication protocols (such as SAML and Open ID Connect) first. These apps can be reconfigured to authenticate with Azure AD either via a built-in connector from the Azure App Gallery, or by registering the application in Azure AD. Apps that use older protocols can be integrated using Application Proxy.
Next Steps: Make the Transition to Azure AD
Azure AD allows your employees to log on, whether remote or on-site, so they can effectively work from anywhere.
Contact an Arraya expert today to explore decommissioning AD FS and moving to Azure AD.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.