[MART] - Daily Diary #581 - Nobelium APT MagicWeb Malware

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Aug 25 21:25:34 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/25/2022 - Diary entry #581:

Recently discovered, MagicWeb is a new post-compromise malware used by the Nobelium APT group, also known as APT29, Cozy Bear, and The Dukes.

Nobelium is a Russian-based cybercrime APT group that employs advanced espionage and data exfiltration techniques. We covered Nobelium in many of our Daily Diaries (#273, #359, #376, #444, and #501), including the SolarWinds' incident, and most recently when they targeted multiple diplomatic and government entities.

New campaigns of Nobelium revealed the group is deploying MagicWeb after gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS (Active Directory Federation Services) system. MagicWeb is a modified DLL version of the Microsoft.IdentityServer.Diagnostics.dll file, used in AD FS legitimate operations, therefore establishing persistence on the system and allowing the APT to authenticate users.

To be protected against this kind of attack, it’s important to adopt security measures to block the step before, the initial access. Companies should limit the access of their employees' accounts, and remove special access and special privileges from anyone that doesn’t need them. By applying the Principle of Least Privilege, even if an account is compromised, the attacker’s actions are limited to that user scope, so the permissions required to deploy MagicWeb should not be available to most users inside an organization. It is also recommended to harden the AD FS and apply the same protections applied to a domain controller since they are all critical security infrastructure.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220825/e27d590a/attachment.htm>

More information about the MART mailing list