How To Protect AD FS From The FoggyWeb Backdoor?

Microsoft warned about a new post-exploitation backdoor named FoggyWeb. A backdoor mainly created to gain admin-level access to Active Directory Federation Services (AD FS) servers. We have created this post to let you know how to protect your AD FS servers from the FoggyWeb backdoor.

What Is Active Directory Federation Services (AD FS)?

Active Directory Federation Services (AD FS) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Web sites and services. You can use AD FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple logons, and other credential management issues that can occur when you establish cross-organizational trusts.

By Microsoft

Who Created The FoggyWeb Backdoor Malware?

As per the analysis report shared by Microsoft Threat Intelligence Center (MSTIC), A well-known threat actor, NOBELIUM, is behind the FoggyWeb backdoor. This is the same actor behind the email campaigns like SUNBURST backdoor, TEARDROP malware,GoldMax, GoldFinder, and Sibot malware, 

Why Was FoggyWeb Backdoor Created?

The main purpose of any backdoor is to maintain unauthorized access to the victim machine. NOBELIUM created the FoggyWeb backdoor to perform most likely similar tasks. FoggyWeb backdoor was created to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate (To digitally sign all security tokens), and token-decryption certificate (To decrypt tokens that are received by the federation server). Go through this report for the full analysis of FoggyWeb backdoor malware.

Indicators Of Compromise (IOCs) Of FoggyWeb Backdoor:

How To Protect AD FS From The FoggyWeb Backdoor?

Precautions are always considered better than cure infections. If you ever suspect that your AD FS servers could be victimized by the FoggyWeb backdoor. Follow these tips to protect AD FS from the FoggyWeb backdoor.

1. Do a complete audit of your on-premises and cloud infrastructure. Check the changes made during a week of time on all security, network, and infrastructure. 
2. Impose the best practice, follow all the access and password management best practices. 
3. Block the IoCs on security devices like Firewalls, IDS/IPS, and EDRs.
4. Harden the AD FS servers to increase security.
5. Confirm only authorized administrator users will have admin rights to the AD FS system.
6. Enable Multi-Factor Authentication (MFA) for cloud admins.
7. Deploy a host firewall to regulate the network traffic within the network.
8. Implement Public Key Infrastructure to protect the entities on the network.
9. Configure the AD FS servers to forward logs to send SIEM solutions to monitor all the activities.
10. Filter unnecessary traffic at the peripheral routers/firewalls.
11. Keep the Operating System and applications up to date. Follow the patching process without fail.

We hope this post will help you in protecting your AD FS from the FoggyWeb backdoor. Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

• How BackdoorDiplomacy APT Group uses Turian Backdoor to Carryout Cyber Espionage Campaign?
• How attackers abused Google Search to Distribute Trojanized AnyDesk Installer?
• Researchers Identified New Chinese Spying Campaign targeting Southeast Asia
• How to request a certificate from Windows ADCS?
• New Biometric indicators!