According to Microsoft, the notorious attacker group Nobelium is using a never-before-seen post-exploitation backdoor that can steal sensitive data from a compromised AD FS (active directory Federation Services) server.
What is FoggyWeb?
According to a report from Microsoft Threat Intelligence Center (MSTIC), Nobelium uses a range of new tactics in their new campaign, one of which involves using FoggyWeb backdoor, to gain admin-level access to AD FS servers. Reportedly, FoggyWeb was first discovered in April 2021.
FoggyWeb backdoor is a highly pervasive and targeted backdoor capable of remotely exfiltrating sensitive data, receiving malicious commands from the attacker-controlled C2 server, and executing those on the victim’s server.
“Nobelium uses FoggyWeb backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” wrote Ramin Nafisi from MSTIC.
The following diagram below demonstrates the methodology used by the Nobelium group to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.
Further, the backdoor abuses the