Nobelium cozy bear malware hijacks ADFS to log in as anyone in windows.

Read the full article in this link.
Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows (bleepingcomputer.com)

Microsoft has found a new malware APT29 (a.k.a. NOBELIUM, Cozy Bear) that allows anyone in a compromised network to authenticate. As a state-sponsored cyberespionage actor, APT29 uses the new capability to conceal its presence on the networks of its targets, who are mainly government and vital organisations in Europe, the United States, and Asia. Malware, a.k.a. A ‘MagicWeb’ tool replaces a genuine DLL used by ADFS with a malicious version in order to change user authentication certificates and claims passed in tokens created by the compromised server.

If MagicWeb is detected in your environment, it is unlikely to correlate with any static IOCs from other targets, such as a SHA-256 value.

Our Solution:

Our XDR platform detects forensic changes in the Dynamic Link Library (DLL) which was manipulated by the adversary and take response actions to isolate the host so that the attack is stopped in its track.
To detect the DLL manipulation, we do not need prior knowledge about the IOC (the hash of the DLL) as indicated in the article because we would detect forensic changes in DLLs reputation (forensic state) such as changes in its certificate and size on file or in memory.

Comments are closed.

Don`t copy text!