Microsoft specialists discovered a new malware of the Nobelium group and named it FoggyWeb. The malware is used to deploy additional payloads and steal sensitive data from Active Directory Federation Services (AD FS) servers.The Nobelium hack group (aka APT 29, Cozy Bear, or The Dukes) is believed to be linked to the Russian government and is named as the one responsible for the SolarWinds hack, one of the largest supply chain attacks in history.
The malware, now discovered by Microsoft Threat Intelligence Center experts, is called FoggyWeb and is a “passive and highly targeted” backdoor that abuses Security Assertion Markup Language (SAML) tokens.
This tool has been in use since April 2021 and has been helping attackers remotely extract sensitive information from compromised AD FS servers by configuring HTTP levers for specific URIs to intercept GET and POST requests sent to the AD FS server.
Let me remind you that we also reported that Chinese hackers also took part in attacks on SolarWinds clients.
User Review( votes)