MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 220: FOGGYWEB: TARGETED NOBELIUM MALWARE LEADS TO PERSISTENT BACKDOOR

Reference Number ACG-CSB 1001021220

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

             NOBELIUM malware is a post-exploitation backdoor that Microsoft Threat Intelligence Center refers to as FoggyWeb. It employs multiple tactics to pursue credential theft to gain admin-level access to Active Directory Federation Service (AD FS) servers. Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools.

          FoggyWeb is backdoor used against Active Directory Federation Services servers, which provide single sign-on for users. The malware can be used to remotely exfiltrate sensitive information from AD FS servers compromised by Nobelium. This includes the AD FS server configuration database, decrypted token-signing and decryption certificates. FoggyWeb can also receive further malware from Nobelium command and control servers, and run these on compromised AD FS instances.

              After compromising an AD FS server, NOBELIUM dropped the following files on the system:

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResouirces\Windows.Data.TimeZones\pris\Windows.Data.TimeZome.zh-PH.pri

            FoggyWeb is stored in the encrypted file Windows.Data.TimeZome.zh-PH.pri, while the malicious file version.dll can be described as its loader. The AD FS service executable Microsoft.IdentityServer.ServiceHost.exe loads the said DLL file via the DLL search order hijacking technique that involves the core Common Language Runtime (CLR) DLL files responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.

RECOMMENDATION

 

            All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of NOBELIUM MALWARE:

 

  • Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access.
  • Remove user and app access, review configurations for each, and re-issue new strong credentials following documented industry best practices.
  • Use a hardware security module (HSM)as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.
  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators’ group membership on all AD FS servers.
  • Require all cloud admins to use multi-factor authentication (MFA).
  • Ensure minimal administration capability via agents.
  • Limit on-network access via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
  • Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
  • Remove unnecessary protocols and Windows features.
  • Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).
  • When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.

 

 

            For additional information, please refer to the following websites:

  • https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
  • https://www.itnews.com.au/news/solarwinds-attackers-drop-foggyweb-backdoor-on-ad-sso-servers-57043

POINT OF CONTACT

 

           Please contact PCPT MARK GERALD A NORBE Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723 0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.