Skip to content

Nobelium's New ‘MagicWeb’ Malware: Cyber Threat Intelligence Roundup

The latest on APT29’s new post-exploitation strategy, an ongoing campaign against U.S. and NATO-affiliated organizations, and how hackers are using the Sliver toolkit as a Cobalt Strike alternative

Emerging Issue

Russia’s state-backed hacking group APT29 continues to create headlines and headaches. This week, we delve into the threat actor’s new post-compromise capability called MagicWeb, which lets APT29 authenticate as anybody within a compromised network. We also look at how APT29 is exploiting Azure Active Directory services to hack accounts belonging to U.S. and NATO member organizations. Plus, we offer details on how hackers are leveraging the Sliver toolkit as an alternative to Cobalt Strike.

1. Microsoft details APT29’s post-compromise technique of authenticating as anybody

A new report from Microsoft’s Threat Intelligence Center (MSTIC) reveals how the Russian state-sponsored advanced persistent threat (APT) group APT29 — aka Nobelium and Cozy Bear — has pioneered a post-exploitation tool dubbed MagicWeb, allowing attackers to authenticate as any user.

Who is APT29?

If you’re new to APT29, this group is highly active, versatile, and capable of engaging in multiple simultaneous campaigns. The group’s victimology includes government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks located in the U.S., Europe, and Central Asia.

What is MagicWeb?

APT29 is now using a post-compromise capability, dubbed MagicWeb, which enables the group to maintain persistent access to compromised environments and achieve lateral movement. MagicWeb consists of a malicious DLL that enables the manipulation of tokens generated by an Active Directory Federated Services (AD FS) server. MagicWeb manipulates the user authentication certificates required for authentication, as opposed to signing certificates.

MSTIC’s researchers assess that MagicWeb was most likely deployed at some point during an ongoing compromise and was leveraged by APT29 to maintain access during “strategic remediation steps that could preempt eviction.”

The report goes on to state that “…in September 2021, Microsoft disclosed a post-exploitation capability named FoggyWeb with methods and intent similar to MagicWeb. FoggyWeb was capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components. MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly.”

Mitigation options for MagicWeb

APT29’s ability to deploy MagicWeb hinges entirely upon obtaining access to the highly privileged credentials with administrative access to AD FS servers. Therefore, it’s critical to treat AD FS systems as top-tier, highly critical assets and give them the same protective measures you would apply to domain controllers or other assets in your tech stack deemed critical in nature.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“As MSTIC made clear, MagicWeb as a capability is not exactly new terrain for APT29 — nor is the group’s abuse of identities and credentialed access.

Given APT29’s sophistication, its historic record of high-profile compromises, its continuous advancements in methodology, and its additions to its malware arsenal, it’s nice to see that MSTIC has provided some recommended hunting guidance/advanced hunting queries toward the end of its write-up. Microsoft’s Defender Antivirus and Defender for Endpoint both detect/alert on this threat, respectively.”

2. Russian hackers exploit Azure services to hack U.S. & NATO Microsoft 365 accounts

Recent reporting from cybersecurity firm Mandiant reveals that APT29 is actively targeting Microsoft 365 accounts belonging to U.S. and NATO-affiliated organizations to steal sensitive data.

APT29’s recent activity is characterized by espionage campaigns displaying a continued emphasis on operational security (OPSEC) and advanced tactics targeting Microsoft 365.

Mandiant highlights the following APT29 TTPs used in recent operations:

  • Disabling licenses: Microsoft 365 makes use of various licenses to regulate user access to services in its suite of products. These same licenses often dictate security settings, such as log retention and the documentation of access to email items.

The Purview Audit enables the Mail Items Accessed audit, which records the user-agent string, timestamp, IP address, and user each time a mail item is accessed. The audit records any type of mail access, whether it is using the Graph API, Outlook, a browser, or other methodology.

  • MFA takeover of dormant accounts: Despite the numerous benefits of multifactor authentication (MFA), it’s still vulnerable to attacks — and threat actors are constantly inventing new ways of bypassing it. Mandiant has previously discussed how threat actors abuse push-based MFA to spam users with notifications until they eventually accept the prompt and allow the threat actor access.
  • Focus on OPSEC: As evidenced by its most recent wave of activity, APT29 continues to demonstrate a significant commitment to OPSEC and security and evasion methodology.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“For those of us who have spent the better part of our careers witnessing APT29’s evolution, this threat actor has clearly made the most of its access to the resources, training, and tools that Russia’s state-sponsored hacking teams enjoy — particularly those with definitive links to the state’s intelligence apparatus. APT29 has demonstrated a strong commitment to continuously upgrading and developing its technical tradecraft, especially when it comes to refining the methodology leveraged by APT29 to maintain a significant degree of OPSEC. 

This is a group that has proven itself fully capable of keeping pace with technological advancements, and, borrowing a phrase from Mandiant’s Outlook segment, CTI fully ‘expects that APT29 will stay apace with the development of techniques and tactics to access Microsoft 365 in novel and stealthy ways.’”

 3. Hackers adopt Sliver toolkit as a Cobalt Strike alternative

An August 24 Microsoft blog post reports that threat actors have been observed abandoning the popular and highly effective Cobalt Strike penetration-testing suite in favor of similar, yet less-known frameworks such as Brute Ratel, and most recently, the open-source, cross-platform kit known as Sliver.

According to Microsoft, its researchers have observed the Sliver command-and-control (C2) framework being increasingly adopted for use in intrusion campaigns conducted by state-sponsored threat actors and cybercrime syndicates specializing in ransomware and extortion, as well as being leveraged by a range of other threat actors to evade detection.

Sliver was first introduced in 2019 and advertised to security professionals. It’s an open-source framework, written in Go and available on GitHub. Sliver features several standard C2 framework capabilities, including support for multiple simultaneous users, various listener types, user-created extensions, and payload generation. Microsoft claims to have observed threat actors integrating Sliver into their toolkits since December 2020.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Cobalt Strike has long been a favorite framework of threat actors of all types. As such, the detection strategies of defenders have steadily matured, and, as the methods of its use by cybercriminals have been exhaustively documented, it’s little wonder that more threat actors are moving on and embracing different malware frameworks like Sliver. Whether this particular framework becomes the new MVP of cybercrime, or the honor ends up going to some other framework, is ultimately of little consequence — provided that organizations are proactive in their efforts to develop hunting playbooks to identify and prevent future instances of the malicious activity that Sliver and its peers can aid in precipitating.”

Want to experience how Tanium’s Converged Endpoint Management (XEM) solution can help keep your enterprise safe from cyber threats? Try Tanium today.

You can also explore our recent cyber threat intelligence roundups here.

Tanium CTI

Tanium's Cyber Threat Intelligence (CTI) analysts process and extract trends from the daily cyber landscape to curate and deliver current intel to stakeholders around threats impacting business and security.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.