Microsoft: SolarWinds Hackers Bypassed “MagicWeb” Authentication

Microsoft has warned that the hacker group behind the 2020 SolarWinds supply chain attack has a new technique to bypass authentication in corporate networks.

The trick, a highly specialized capability that Microsoft calls “MagicWeb,” allows actors to maintain a firm footing in a network even if defenders try to eject them.

However, unlike past attacks from the group, which Microsoft is tracking as Nobelium, they are not using supply chain attacks to deploy MagicWeb, but rather misusing administrator credentials.

Nobelium remains “highly active”

The US and UK claim that the Nobelium actors belong to the Russian Foreign Intelligence Service (SVR) hacking unit. Nobelium actors have carried out several high-profile supply chain attacks since the SolarWinds software building systems were compromised in late 2020. This attack compromised 18,000 targets, including several U.S. agencies and technology companies, including Microsoft.

Since then, Microsoft and other security companies have identified several sophisticated tools, such as backdoors, used by Nobelium – and MagicWeb is the latest. MagicWeb targets enterprise identity systems, namely Active Directory Federation Services (AD FS), i.e. on-premises AD servers as opposed to Azure Active Directory in the cloud. Therefore, Microsoft recommends isolating AD FS and restricting access to it.

Microsoft points out that Nobelium remains “highly active”. Last July, Microsoft revealed that it had found Nobelium information-stealing malware on the PC of one of its support agents, which was then used to launch attacks on others. Nobelium actors have also impersonated USAID, the United States Agency for International Development, in spear-phishing campaigns.

Handling Authentication Certificates

In October, Microsoft drew attention to Nobelium’s attacks on resellers of software and cloud services, once again abusing vendor-customer trust to exploit direct access to customers’ computer systems.

A month before the attacks on cloud service resellers, Microsoft exposed a Nobelium tool called ‘FoggyWeb’, a post-compromise backdoor that harvests information from a content management system in order to obtain certificates signing and encrypting tokens and deploying malware.

MagicWeb employs similar methods targeting AD FS, but Microsoft claims it “goes beyond FoggyWeb’s collection capabilities by directly facilitating covert access.” »

“MagicWeb is a malicious DLL that allows manipulation of claims passed in tokens generated by an AD FS server. It manipulates user authentication certificates used for authentication, not signing certificates used in attacks like Golden SAML. »

SAML refers to the “Security Assertion Markup Language,” which uses x509 certificates to establish trust relationships between identity providers and services and to sign and decrypt tokens, Microsoft explains.

Highly targeted attacks, say Redmond experts

Before deploying MagicWeb, actors gained access to highly privileged credentials and then moved laterally across the network to gain administrative rights.

“This is not a supply chain attack,” Microsoft points out. “The attacker had administrator access to the AD FS system and replaced a legitimate DLL with his own malicious DLL, causing AD FS to load the malware instead of the legitimate binary. »

The Redmond company’s security teams – Microsoft’s MSTIC, Microsoft 365 Defender Research and Microsoft Detection and Response Team (DART) – found MagicWeb on a customer’s systems. The company believes that MagicWeb is used in “highly targeted” attacks.

Microsoft recommends that customers keep the AD FS infrastructure isolated and accessible only by dedicated administrative accounts, or migrate to Azure Active Directory.

Microsoft provides a detailed explanation of how MagicWeb manages to bypass authentication. The explanation is based on understanding how AD FS “claims-based authentication” works. Instead of single sign-on for an organization, AD FS can use “claims” (tokens) to allow external parties – customers, partners, and vendors – to authenticate with single sign-on.

“MagicWeb injects itself into the claims process to perform malicious actions outside of the normal roles of an AD FS server,” Microsoft explains.

How to protect the identity and authentication infrastructure?

MagicWeb also abuses SAML x509 certificates which “contain Enhanced Key Usage (EKU) values ​​that specify for which applications the certificate should be used. » EKUs include object identifier (OID) values ​​to support, for example, smart card login. Organizations can also create custom OIDs to restrict certificate usage.

“The MagicWeb authentication bypass stems from the transmission of a non-standard enhanced key usage OID that is hard-coded into the MagicWeb malware during an authentication request for a specified user principal name,” explains Microsoft.

“When this hard-coded unique OID value is encountered, MagicWeb causes the authentication request to bypass all standard AD FS processes (including checks for multi-factor authentication) and validate the user’s requests. MagicWeb manipulates user authentication certificates used in SAML signatures, not SAML claim signing certificates used in attacks like Golden SAML. »

Defenders working in organizations that may be targeted should consult Microsoft’s blog post for advice on how to harden networks and protect identity and authentication infrastructure.


Leave a Comment