Russian hacker group hijacks ADFS authentication process

A new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM or Cozy Bear) subverts the ADFS (Active Directory Federation Services) authentication process and enables malicious users to log in as anyone in Windows. It seems the threat actors are innovating fast and focusing on Microsoft, leveraging in particular on-premise Active Directory components, in this case ADFS.

The new malicious tool is called ‘MagicWeb’ and is a modification of the ADFS authentication process that replaces a legitimate system DLL with a malicious version to manipulate user authentication certificates and to modify claims passed in tokens generated by the compromised server.

Because ADFS facilitates user authentication, MagicWeb's DLL modification will validate authentication for any user account on that server, giving the the threat actor lots of new opportunities to impersonate users, access data and move laterally.

Of course, MagicWeb requires the malicious user to first gain admin access to the target ADFS server and replace the said DLL with their version, so it's mainly used as a post-compromise technique.

There are many threat indicators that can help hunt for this one, most importantly searching for unsigned DLLs. Again, endpoint or server inspection using XDR technology proves important here.