The hacker group Nobelium has released a new malware, that is trying to use a backdoor in Active Directory. Malware is short for malicious software, and it’s a virus, which can infect computers and devices without the user's consent. Malware comes in various forms such as spyware.
The warning comes from the Microsoft Security Department, MSTIC (Microsoft Threat Intelligence Center). The hacker group was also behind the SolarWinds hack back in December 2020 and caused chaos on many companies around the world, including Dansk Energi and Deloitte.
The new vulnerability, FoggyWeb, is found in Active Directory Federation Services servers, which controls user and rights access. Microsoft says, they have notified customers who have been compromised.
According to Microsoft, the hacker group exploits FoggyWeb for infiltration of configuration databases and compromised AD FS servers, decrypted certificates, as well as for downloading and running components. However, it is important to emphasize that this does not apply to organizations that use only AD servers without the FS add on.
If you suspect that your company or organization has been affected, Microsoft recommend doing the following:
- Review both local hardware and cloud infrastructure settings, and keep an eye on recent configuration, settings, and changes.
- Remove for access from users and apps and issue new and stronger passwords.
- Use a hardware security module to prevent important data leaks via FoggyWeb and to secure the AD-FS servers.
You can read more about the warning at Microsoft here.