What is NOBELIUM’s new MagicWeb Tool?

NOBELIUM and MagicWeb

• To carry out an attack, the tool requires admin access to the target ADFS server by replacing a DLL with a tainted version. However, it is suspected this has already happened in at least one case.
• The tool exfiltrates the configuration database from compromised ADFS servers. It then decrypts the token signing and decryption certificates, and then downloads additional payloads from its C2 server.,
• The tool replaces a genuine DLL used by ADFS with a malicious one to manipulate user authentication certificates and change claims passed in tokens produced by the infected server.
• As the ADFS servers facilitate user authentication, the tool allows the attacker in validating authentication for any user account on a server, giving persistence and opportunities for additional malicious activities.

Replacing DLL

• NOBELIUM replaces the Microsoft.IdentityServer.Diagnostics.dll with a backdoored version with an additional section in the ‘TraceLog’ class.
• This new section is a static constructor run once during the loading of the DLL while launching the ADFS server.
• The constructor is used to hook four legitimate ADFS functions, named Build, GetClientCertificate, EndpointConfiguration, and ProcessClaims to perform various actions inside the targeted network.

What to do?