Microsoft has uncovered a new malware employed by the Russian advanced persistent threat group APT29 (NOBELIUM, Cozy Bear) that allows authentication as any user on a compromised network. APT29 remains active, performing multiple operations simultaneously aimed at government organisations, non-governmental organisations (NGOs), intergovernmental organisations (IGOs), and think tanks across the United States, Europe, and Central Asia. APT29 has utilised the abuse of identities and credentialed access to maintain persistence in multiple campaigns.

The new malicious tool, dubbed ‘MagicWeb,’ is an evolution of ‘FoggyWeb,’ which enabled hackers to exfiltrate the configuration database of compromised Active Directory Federation Services (ADFS) servers, decrypt token-signing and token-decryption certificates, and retrieve additional payloads from the command and control (C2) server. According to Microsoft, AD FS utilises claims-based authentication to validate the user’s identity and authorisation claims. These claims are bundled into an authentication token. MagicWeb injects itself into the claims process in order to undertake malicious actions outside of an AD FS server’s normal function.

The MagicWeb tool replaces a valid DLL utilised by ADFS with a malicious version in order to alter user authentication certificates and modify claims passed in tokens issued by a compromised server. Due to the fact that ADFS servers support user authentication, MagicWeb may assist APT29 in validating authentication for each user account on that server, providing the threat group with persistence and a multitude of opportunities to pivot. Noting MagicWeb requires APT29 to first get admin access to the target ADFS server and replace the aforementioned DLL with their version, Microsoft states that this has already occurred in at least one case where its Detection and Response Team (DART) team was tasked with investigating.

Microsoft isn’t sharing IOCs on this APT29 activity at this time.