Microsoft Suffers FoggyWeb Backdoor Breach

2021 hasn’t been kind to Microsoft. Startling discoveries in recent times shed light on lagging security aspects of Azure.

Now, the hackers behind the shocking SolarWinds attack, which crippled the Orion network supply chain, went after Microsoft and even compromised the source codes of Azure, Exchange, and Intune products.

The SolarWinds hackers have now compromised the Active Directory Federation Services (AD FS) servers of Microsoft.

The software giant stated that the hackers developed a backdoor to extract information from the compromised servers. The backdoor, called FoggyWeb, allowed the nefarious actors to download the credentials and database configurations remotely.

Making matters worse was the revelation that they were privy to the decrypted token signs and token-decryption certificates.

Microsoft confirmed the FoggyWeb discovery in April and realized that the backdoor entry was to download and operationalize software components. “FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server,” said Ramin Nafisi, senior malware reverse engineer at the Microsoft Threat Intelligence Center.

“It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.”

When initialized, FoggyWeb would allow entrants to misuse the Security Assertion Markup Language (SAML) token. Additionally, it allows unwarranted access to sensitive information housed on the AD FS servers.


Also Read: LockBit Hackers Exploit Accenture to Compromises an Airliner!


The HTTP listeners would follow the Uniform Resource Identifier (URI) structure that the hackers would define. This counterfeit structure aped the legitimate URIs used by the AD FS.

“Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,” stated Nafisi.

Nafisi stated that FoggyWeb was a backdoor that wasn’t required to perceive AD FS version-dependent properties. These properties range from named pipe names to schemas. Microsoft further elaborated on the FoggyWeb, saying that the backdoor exhibited qualities typically associated with SVR, the Russian external intelligence wing.


Also Read: REvil’s Faux Pas Thwarts Massive Ransomware Attack


The USA Administration had previously pinned the blame on SVR for the massive SolarWinds attack. Along with 100+ private firms, the breach even affected nine federal departments. The Russian intelligence wing is also called APT 29, Cozy Bear, and Nobelium.

“Protecting AD FS servers is key to mitigating Nobelium attacks,” Nafisi said. “Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known Nobelium attack chains.” Currently, AD FS operations are based out of on-premises servers.

The software giant confirmed that they had notified the clients who were compromised by this backdoor entry. Companies that suspect they have suffered the FoggyWeb breach are to reach out to Microsoft for an audit encompassing their on-premises servers and cloud infrastructure. The audit is to locate any potential changes SVR might have surreptitiously performed.

Microsoft - FoggyWeb

Microsoft advised the compromised clients to remove user and app access immediately. They are yet to issue new and better credentials. These credentials should be based on the best-documented industry practices.


Also Read: IT Company Discovers New, Startling Vulnerabilities in Azure


Additionally, the American giant stated that the business houses should employ hardware security modules (HSM) to avert potential FoggyWeb crises.

“What I cannot get is why customers still do not protect their AD FS keys in an HSM – if they still use AD FS,” penned Microsoft Chief Security Advisor Roger Halbheer in a LinkedIn post on Tuesday. “This was a key vector during the SolarWinds attack, and the actor behind it is still chasing these keys.”

Contact Us


More News: