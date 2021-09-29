Russian criminals behind new attack on Microsoft servers

Microsoft this week issued a critical alert for organizations using Windows Server about a new wave of attacks that attempt to steal data from improperly configured infrastructures or without the proper protection mechanisms . The warning is related to an attack campaign that has been going on since April and was authored by Nobelium, the same group behind the scams involving the SolarWinds systems.

According to the company, the attacks are happening on a large scale and involve the use of a malware called FoggyWeb. The plague was validated by companies specializing in digital security, such as Volexity, and would be able to create a backdoor from the abuse of authentication tokens used by servers for communication between parties, using a system called Security Assertion Markup Language.

From them, exploitation in Active Directory Federation Services, another feature of Windows infrastructures that provides logins to users and connected systems within an organization, is triggered. By locating compromised servers, the malware would be able to extract information related to certificates and authentication, as well as remotely install new components remotely, leading to new attacks.

Microsoft experts cite this as a backdoor persistent, which can be used in different ways by attackers and also handle legitimate requests that are made by the server. All of this, of course, while remaining hidden from automated security systems, while also taking advantage of the idea that poorly configured servers wouldn’t get much scrutiny from their administrators either.

Nobelium is of Russian origin

Of Russian origin, Nobelium would be directly linked to the country’s intelligence service , already being accused of international espionage by the US government. The country’s Foreign Intelligence Service is also popularly known as Cozy Bear or APT , when it comes to its malicious operations against international companies and organizations.

Since May, Microsoft has been warning its users about different families of malware being used by the group, involving phishing attacks or exploiting breaches in servers. In this case, the company also issued direct notices to customers with detectable vulnerabilities, so that mitigation steps are taken to prevent attacks or prevent new exploits.

To all, the main tip it’s about infrastructure auditing, with regard to user access, privileges to use each of them and other preferences. Microsoft recommends reviewing all settings and issuing new strong, random credentials to everyone, as well as using security and monitoring modules to prevent malware installation or the diversion of sensitive information from servers.

Source: Microsoft

