fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft: Nobelium Uses Custom Malware to Backdoor Windows Domains

Microsoft: Nobelium Uses Custom Malware to Backdoor Windows Domains

Microsoft has discovered new malware used by the Nobelium hacking group to deploy additional payloads and steal sensitive info from Active Directory Federation Services (AD FS) servers.

Nobelium, the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies, is the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear.

In April, the United States government formally accused the SVR division of carrying out “the broad-scope cyber espionage campaign.”

Cybersecurity firm Volexity also linked the attacks to APT29 operators based on tactics observed in previous incidents going back to 2018.

Also Read: What You Need to Know About Singapore’s Data Sharing Arrangements

Used in the wild since April 2021

The malware, dubbed by Microsoft Threat Intelligence Center (MSTIC) researchers FoggyWeb, is a “passive and highly targeted” backdoor that abuses the Security Assertion Markup Language (SAML) token.

It is designed to help the attackers remotely exfiltrate sensitive information from compromised AD FS servers by configuring HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server matching the custom URI patterns.

“NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” Microsoft said.

Also Read: PDPA Compliance for HR Managers in Singapore: A Must

“It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.”

FoggyWeb works as a persistent backdoor that allows abuse of SAML tokens and configures HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server that match the custom URI patterns.

The Russian state hackers have been observed using the FoggyWeb backdoor in the wild since April 2021.

FoggyWeb backdoor communication
FoggyWeb backdoor communication (Microsoft)

FoggyWeb defense tips 

Microsoft has already alerted notified customers that were targeted or compromised using this backdoor.

Organizations that believe they might’ve been breached or compromised are advised to:

  • Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
  • Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
  • Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

In May, Microsoft researchers also revealed four other malware families used by Nobelium in their attacks: a downloader known as ‘BoomBox,’ an HTML attachment named ‘EnvyScout,’ a shellcode downloader and launcher named ‘VaporRage,’ and a loader known as ‘NativeZone,’

They detailed three more Nobelium malware strains used for layered persistence in March: a command-and-control backdoor dubbed ‘GoldMax,’ a persistence tool and malware dropper named ‘Sibot,” and an HTTP tracer tool tracked as ‘GoldFinder.’

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us