Network Security, Vulnerability Management, Threat Management

‘MagicWeb’ gives Nobelium threat group persistent access to compromised systems

The Microsoft logo
Microsoft researchers disclosed discovering that the Russian threat group Nobelium of having the ability to maintain access to compromised environments via a capability they're calling "MagicWeb." (Photo by David Ramos/Getty Images)

Microsoft security researchers say they’ve discovered that the threat group responsible for the SolarWinds attack has been able to maintain access to compromised environments via a capability they’re calling “MagicWeb.”

The threat group Nobelium is still highly active and has been executing multiple campaigns targeting multiple government-related organizations and think tanks across the United States, Europe and Central Asia, Microsoft’s Threat Intelligence Team posted to its blog this week.

The security researchers said MagicWeb was likely deployed during an ongoing compromise and was used by the Russian-sponsored threat group to maintain access despite attempts to evict them from compromised systems.

Unlike the SolarWinds case that reared its head in late 2020, MagicWeb is not a supply-chain attack. 

Microsoft researchers said Nobelium was able to deploy MagicWeb after gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system, and then replacing legitimate DLL with its own DLL. Microsoft discovered the backdoor during an incident response investigation.

The capability to maintain access to compromised systems is not a new one for Nobelium threat actors, Microsoft said. The Redmond software giant said that it disclosed last year that a post-exploitation capability called FoggyWeb that had similar methods as MagicWeb. 

FoggWeb is “capable of exifiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates with token-decryption certificates and downloading and executing additional malware components.”

In addition to the same capabilities as FoggyWeb, MagicWeb facilitates covert access directly by “manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”

Security teams should refer to Microsoft's blog post on how to mitigate the risk MagicWeb poses, which includes migrating to Azure AD.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.