The attack group Microsoft tracks as Nobelium is using a new post-exploitation backdoor capable of stealing sensitive data from a compromised Active Directory Federation Services (AD FS) server, the company reports.

Nobelium is the same group behind last year’s massive supply chain attack targeting SolarWinds’ Orion software. Since then, Microsoft has provided updates on the attackers’ activity, which in May included an advanced email campaign impersonating the US Agency for International Development (USAID).

Now the Microsoft Threat Intelligence Center (MSTIC) says the group is using new malware, dubbed FoggyWeb, as one of multiple tactics to pursue credential theft with the goal of gaining admin-level access to AD FS servers. FoggyWeb has been seen in the wild as early as April 2021, Microsoft says, and customers observed being targeted or compromised have been notified.

FoggyWeb is a “passive and highly targeted backdoor” that can remotely exfiltrate sensitive data from a compromised AD FS server. It can also receive additional malicious commands from a command-and-control (C2) server and execute them on the victim’s server.

“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” they write.

Read MSTIC’s full blog post for more details and recommendations to harden and secure AD FS deployments.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.