• Home
  • |
  • Blog
  • |
  • How To Protect AD FS From The FoggyWeb Backdoor?
How To Protect AD FS From The FoggyWeb Backdoor

Microsoft warned about a new post-exploitation backdoor named FoggyWeb. A backdoor mainly created to gain admin-level access to Active Directory Federation Services (AD FS) servers. We have created this post to let you know how to protect your AD FS servers from the FoggyWeb backdoor.

What Is Active Directory Federation Services (AD FS)?

Active Directory Federation Services (AD FS) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Web sites and services. You can use AD FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple logons, and other credential management issues that can occur when you establish cross-organizational trusts.

By Microsoft

Who Created The FoggyWeb Backdoor Malware?

As per the analysis report shared by Microsoft Threat Intelligence Center (MSTIC), A well-known threat actor, NOBELIUM, is behind the FoggyWeb backdoor. This is the same actor behind the email campaigns like SUNBURST backdoor, TEARDROP malware,GoldMax, GoldFinder, and Sibot malware

Why Was FoggyWeb Backdoor Created?

The main purpose of any backdoor is to maintain unauthorized access to the victim machine. NOBELIUM created the FoggyWeb backdoor to perform most likely similar tasks. FoggyWeb backdoor was created to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate (To digitally sign all security tokens), and token-decryption certificate (To decrypt tokens that are received by the federation server). Go through this report for the full analysis of FoggyWeb backdoor malware.

Indicators Of Compromise (IOCs) Of FoggyWeb Backdoor:

TypeThreat NameThreat TypeIndicator
MD5FoggyWebLoader5d5a1b4fafaf0451151d552d8eeb73ec
MD5FoggyWebBackdoor (encrypted)9ff9401315d0f7258a9fcde0cfdef02b
MD5FoggyWebBackdoor (decrypted)e9671d294ce41fe6dbb9637dc0157a88
SHA-1FoggyWebLoaderc896ece073dd01191cbc1d462bc2f47161828a83
SHA-1FoggyWebBackdoor (encrypted)4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-1FoggyWebBackdoor (decrypted)85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256FoggyWebLoader231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1
SHA-256FoggyWebBackdoor (encrypted)da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
SHA-256FoggyWebBackdoor (decrypted)568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6

How To Protect AD FS From The FoggyWeb Backdoor?

Precautions are always considered better than cure infections. If you ever suspect that your AD FS servers could be victimized by the FoggyWeb backdoor. Follow these tips to protect AD FS from the FoggyWeb backdoor.

  1. Do a complete audit of your on-premises and cloud infrastructure. Check the changes made during a week of time on all security, network, and infrastructure. 
  2. Impose the best practice, follow all the access and password management best practices. 
  3. Block the IoCs on security devices like Firewalls, IDS/IPS, and EDRs.
  4. Harden the AD FS servers to increase security.
  5. Confirm only authorized administrator users will have admin rights to the AD FS system.
  6. Enable Multi-Factor Authentication (MFA) for cloud admins.
  7. Deploy a host firewall to regulate the network traffic within the network.
  8. Implement Public Key Infrastructure to protect the entities on the network.
  9. Configure the AD FS servers to forward logs to send SIEM solutions to monitor all the activities.
  10. Filter unnecessary traffic at the peripheral routers/firewalls.
  11. Keep the Operating System and applications up to date. Follow the patching process without fail.

We hope this post will help you in protecting your AD FS from the FoggyWeb backdoor. Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.