Microsoft exposes APT group using technique to bypass authentication

Microsoft has discovered a new capability used by advanced persistent threat (APT) actors that allows them to maintain persistent access to compromised systems.

Security researchers said the threat group, tracked as NOBELIUM, has been able to deploy a specialised technique, dubbed MagicWeb, after first gaining access to privileged credentials and then moving laterally to gain admin rights to an Active Directory Federated Services (AD FS) server.

AD FS servers authenticate users and the researchers said MagicWeb takes advantage of this by manipulating the user authentication certificates, effectively allowing the actor to sign in as any user.

Microsoft said the backdoor was discovered during an ongoing incident investigation and it appears to have been highly targeted.

To mitigate against this technique, Microsoft recommends ADFS servers are treated as critical as domain controllers and restrict access to them to only a subset of administrators who really need to access them.