The threat actor behind the SolarWinds supply chain attack has been linked to yet another “highly targeted” post-exploitation malware that could be used to maintain persistent access to compromised environments.
Dubbed MagicWeb by Microsoft’s threat intelligence teams, the development reiterates Nobelium’s commitment to developing and maintaining purpose-built capabilities.
Nobelium is the tech giant’s moniker for a cluster of activities that came to light with the sophisticated attack targeting SolarWinds in December 2020, and which overlaps with the Russian nation-state hacking group widely known as APT29, Cozy Bear, or The Dukes.
MagicWeb, which shares similarities with another tool called FoggyWeb, is assessed to have been deployed to maintain access and preempt eviction during remediation efforts, but only after obtaining highly privileged access to an environment and moving laterally to an AD FS server.
Another newer tactic used by the actor in recent operations is the use of a password guessing attack to obtain the credentials associated with a dormant account and enroll it for multi-factor authentication, granting it access to the organization’s VPN infrastructure.
