Microsoft warns of Nobelium hackers using FoggyWeb backdoor

Microsoft has warned of a new FoggyWeb backdoor being used by , the same state- hacking group believed to be responsible for supply-chain attacks.

According to Microsoft, the notorious attacker group Nobelium is using a never-before-seen post-exploitation backdoor that can steal sensitive data from a compromised AD FS ( Federation Services) server.

What is FoggyWeb?

According to a report from Microsoft Threat Intelligence Center (MSTIC), Nobelium uses a range of new tactics in their new campaign, one of which involves using FoggyWeb backdoor, to gain admin-level access to AD FS servers. Reportedly, FoggyWeb was first discovered in April .

FoggyWeb backdoor is a highly pervasive and targeted backdoor capable of remotely exfiltrating sensitive data, receiving malicious commands from the attacker-controlled C2 server, and executing those on the victim’s server.

Nobelium uses FoggyWeb backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing , and token-decryption certificate, as well as to download and execute additional components,” wrote Ramin Nafisi from MSTIC.

The following diagram below demonstrates the methodology used by the Nobelium group to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.

Further, the backdoor abuses the

Read More: