SolarWinds attackers drop 'FoggyWeb' backdoor on AD SSO servers

By

Malware can exfiltrate sensitive data for Windows domains.

Microsoft has published extensive information on new malware it calls FoggyWeb, deployed by Russia-linked threat actors Nobelium who are said to be behind the devastating SolarWinds supply chain attack on corporate and government IT systems worldwide.

SolarWinds attackers drop 'FoggyWeb' backdoor on AD SSO servers

FoggyWeb is backdoor used against Active Directory Federation Services servers, which provide single sign-on for users.

The malware can be used to remotely exfiltrate sensitive information from AD FS servers compromised by Nobelium, Microsoft's Threat Intelligence Centre said.

This includes the AD FS server configuration database, decrypted token-signing and decryption certificates.

FoggyWeb can also receive further malware from Nobelium command and control servers, and run these on compromised AD FS instances.

Customers believed to be attacked by Nobelium and FoggyWeb have been alerted by Microsoft, which recommends that AD FS users take a range of measures to secure their servers.

The company said FoggyWeb is detected by its Defender 365 anti-malware utility.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices

Log In

  |  Forgot your password?