Microsoft issues recommendations, as ‘MagicWeb’ malware hits Active Directory

Malware revealed by Microsoft presented a reminder that Active Directory—and the many accounts and permissions it contains—is a valuable target for hackers and must be protected.

Guidance from Microsoft and others, given the threat of the bad binary file known as “MagicWeb,” include AD monitoring and building defenses around the database.

“We recommend that any such infrastructure is isolated, accessible only by dedicated admin accounts, and regularly monitored for any changes,” said a lengthy post from Microsoft in August.

What’s MagicWeb? The threat appears to come from NOBELIUM, the group associated with major compromises like the SolarWinds hack. Not a new David Copperfield trick, MagicWeb takes over Active Directory.

NOBELIUM has some history of taking credentials by gaining admin-level access to Active Directory Federation Services (AD FS) servers—see its earlier work with the lesser-known FoggyWeb.

How does MagicWeb work? MagicWeb inserts itself into AD’s “claims-based” authentication,a method of verifying user- and access-privilege with a token. MagicWeb is a malicious DLL that messes with that token, generated by an AD FS server.

NOBELIUM deployed MagicWeb by first gaining access to highly privileged credentials and moving laterally to attain administrative privileges to an AD FS system. The attacker replaced a legitimate DLL with their own malicious one, causing AD FS to load the malware.

Laterally, everyone is doing it. Lateral movement—highlighted in a recent VMware report—has been trending with attackers looking to slowly creep from machine to machine to find sensitive data.

“Moving from one device to another can be very beneficial, so that you can potentially infect different networks and try to spread across multiple different sectors and sections of a business,” said Allie Mellen, senior analyst at Forrester. “Most of the time, in order to spread ransomware and try to lock down as many computers as possible.”

While the NOBELIUM group may not have locked down computers, they sought data, according to Microsoft.

“They specifically chose to target an AD FS server to facilitate their goals of persistence and information theft during their operations,” said Microsoft in its post.

AD-ing on to what Microsoft said…Microsoft’s mitigation recommendations boil down to: isolate the AD infrastructure, make it accessible only by dedicated admin accounts, and regularly monitor the repository for changes.

Alerts can be configured to be sent to the administrator, and a number of tools monitor Account Directory activity, including Netwrix, ManageEngine, and, well, SolarWinds.

“Whenever you create an account in Active Directory, or to change credentials, that needs to go as an alert,” said Raj Dodhiawala, president of Remediant, a privileged-access management software provider.

Other Microsoft tips included controls like logon restrictions and network segmentation (using Windows Firewall) to prevent lateral movement.

Active Directory is a valuable target for hackers, Dodhiawala told IT Brew, given its storage of account information.

“Once you attack Active Directory, then it’s a free-for-all,” said Dodhiawala.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.