Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Protect AD FS From The FoggyWeb Backdoor?
September 29, 2021

How To Protect AD FS From The FoggyWeb Backdoor?

How To Protect Ad Fs From The Foggyweb Backdoor

Microsoft warned about a new post-exploitation backdoor named FoggyWeb. A backdoor mainly created to gain admin-level access to Active Directory Federation Services (AD FS) servers. We have created this post to let you know how to protect your AD FS servers from the FoggyWeb backdoor.

What Is Active Directory Federation Services (AD FS)?

Active Directory Federation Services (AD FS) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Web sites and services. You can use AD FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple logons, and other credential management issues that can occur when you establish cross-organizational trusts.

By Microsoft

Who Created The FoggyWeb Backdoor Malware?

As per the analysis report shared by Microsoft Threat Intelligence Center (MSTIC), A well-known threat actor, NOBELIUM, is behind the FoggyWeb backdoor. This is the same actor behind the email campaigns like SUNBURST backdoor, TEARDROP malware,GoldMax, GoldFinder, and Sibot malware, 

Why Was FoggyWeb Backdoor Created?

The main purpose of any backdoor is to maintain unauthorized access to the victim machine. NOBELIUM created the FoggyWeb backdoor to perform most likely similar tasks. FoggyWeb backdoor was created to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate (To digitally sign all security tokens), and token-decryption certificate (To decrypt tokens that are received by the federation server). Go through this report for the full analysis of FoggyWeb backdoor malware.

Indicators Of Compromise (IOCs) Of FoggyWeb Backdoor:

TypeThreat NameThreat TypeIndicator
MD5FoggyWebBackdoor (encrypted)9ff9401315d0f7258a9fcde0cfdef02b
MD5FoggyWebBackdoor (decrypted)e9671d294ce41fe6dbb9637dc0157a88
SHA-1FoggyWebBackdoor (encrypted)4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-1FoggyWebBackdoor (decrypted)85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256FoggyWebBackdoor (encrypted)da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
SHA-256FoggyWebBackdoor (decrypted)568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6

How To Protect AD FS From The FoggyWeb Backdoor?

Precautions are always considered better than cure infections. If you ever suspect that your AD FS servers could be victimized by the FoggyWeb backdoor. Follow these tips to protect AD FS from the FoggyWeb backdoor.

  1. Do a complete audit of your on-premises and cloud infrastructure. Check the changes made during a week of time on all security, network, and infrastructure. 

  2. Impose the best practice, follow all the access and password management best practices. 

  3. Block the IoCs on security devices like Firewalls, IDS/IPS, and EDRs.

  4. Harden the AD FS servers to increase security.

  5. Confirm only authorized administrator users will have admin rights to the AD FS system.

  6. Enable Multi-Factor Authentication (MFA) for cloud admins.

  7. Deploy a host firewall to regulate the network traffic within the network.

  8. Implement Public Key Infrastructure to protect the entities on the network.

  9. Configure the AD FS servers to forward logs to send SIEM solutions to monitor all the activities.

  10. Filter unnecessary traffic at the peripheral routers/firewalls.

  11. Keep the Operating System and applications up to date. Follow the patching process without fail.

We hope this post would help you in protecting your AD FS from the FoggyWeb backdoor. Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription