A new report from Microsoft describes the first time a Global Assembly Cache (GAC) implant was seen in the wild. This new malware, known as MagicWeb, from Russia-based nation-state hacking group NOBELIUM allows the attacker to authenticate as anyone in a targeted network.
NOBELIUM’s rap sheet
NOBELIUM is perhaps most notorious for the SolarWinds supply chain compromise in December 2020, which is widely regarded as the most sophisticated nation-state cyber attack in history. In fact, Microsoft says NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia.
Microsoft says nation-state attackers like NOBELIUM have seemingly unlimited monetary and technical support from their sponsor as well as access to unique, modern hacking tactics, techniques, and procedures. Unlike most bad actors, NOBELIUM changes their tradecraft on almost every machine they touch. Microsoft’s security analysts note that this actor places a very high value on their operations and have exceptional tradecraft, rarely making mistakes and constantly changing tactics, which helps them remain undetected.
Microsoft previously uncovered a wide-scale malicious email campaign operated by NOBELIUM. The campaign was initially observed and tracked by Microsoft since January 2021. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a U.S.-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. Later that year, Microsoft reported that NOBELIUM was attempting to gain access to downstream customers of multiple cloud service providers, managed service providers, and other IT services organizations that have been granted administrative or privileged access by other organizations.
MagicWeb: The attack and the response
In August 2022, a Microsoft customer fell victim to MagicWeb, which was used by NOBELIUM to maintain persistent access to the customer environment they had compromised. After noticing strange authentication requests, the customer contacted Microsoft’s Detection and Response Team (DART). The global team quickly responded and traveled onsite to deliver a real-time investigation. Upon arrival, DART assessed the situation and performed various data-wrangling actions followed by in-depth data analysis to understand how the threat actor gained access to the environment, implanted the backdoor, and later how the backdoor worked. This included a rapid response to target the removal of the backdoor implants and execute a complete migration off Active Directory Federation Services (AD FS) to Azure Active Directory (Azure AD). Additional monitoring techniques were then put in place to keep a close eye on any actions performed by the threat actor.
The incident response team with the support of Microsoft Threat Intelligence Center (MSTIC) divided its resources into different lines of inquiry, focusing on the authentication process and flow and separating the authentication scenario into logical buckets. Following the authentication flow, the user presents a certificate to the Web Application Proxy, a request is proxied to the AD FS Server for the certificate-based authentication process, and then AD FS processes the authentication based on the validity of the certificate and account details. The incident response team moved ahead to provide evidence in support of the hypothesis made above. They accomplished this by using CAPI2 diagnostic logging to collect the presented client certificates. Following a thorough examination of the customer’s certificate templates, the team examined the certificates for irregularities. The certificates weren’t valid and chained up to a trusted issuing authority. After stacking the data, the incident response team discovered one specific field in the captured client certs: two distinct hardcoded object identifiers in the Extended Key Usage (EKU) attribute of the certificate. With the deltas in the actor certificate identified, the team began to reverse-engineer the attack and duplicated the activity with crafted certificates of their own.
Microsoft’s experts were back to tackling the largest puzzle in the case: how did MagicWeb subvert authentication?
Concluding that only AD FS and specially crafted certificates were the source of trickery, the team zeroed in on the AD FS authentication processes and process dependencies. This led them to identify that NOBELIUM implanted a backdoored copy of a DLL (Microsoft.IdentityServer.Diagnostics.dll) and a modified configuration file (Microsoft.IdentityServer.Servicehost.exe.config).
Digging deeper into the identified binaries, analysts identified that the loading of NOBELIUM’s malicious (Microsoft.IdentityServer.Diagnostics.dll) into the AD FS process was made possible by editing the configuration file to specify a different public token, thus loading the malicious DLL from the Global Assembly Cache (GAC) upon reboot. This allowed the actor to intercept and manipulate the claims pipeline through loading the backdoored DLL with added .NET classes and static constructors that hooked into the legitimate AD FS methods.
The four main methods identified in the technical analysis of MagicWeb indicated that the X509 certificate passed checking for specific EKU attributes, and upon a match would effectively bypass certificate validation. This satisfied Multifactor Authentication (MFA) to authenticate the user based on the user certificate details.
To help protect against MagicWeb, Microsoft recommends maintaining AD FS and all IdPs as a Tier 0 asset; identifying, logging and auditing your organization’s authentication flow; mandating multifactor authentication organization-wide, all the time; and keeping up with basic security hygiene to force threat actors to increase the cost of their operations.