New MagicWeb AD Exploit Shows Value of Cloud, Zero Trust

Microsoft in an alert this week said Nobelium, the Russian state-sponsored group linked to the Solar Winds supply chain hack in 2020, deployed MagicWeb by gaining access to “highly privileged credentials” at an unnamed organization and then moved laterally to gain administrative privileges to an Active Directory Federated Services system. MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by Active Director server, giving attackers the ability to “sign in as any user’ and bypass multi-factor authentication, Microsoft says. To safeguard against such attacks, the software giant recommends isolating the infrastructure, ensuring proper monitoring, limiting access to dedicated admin accounts, and consider moving to a cloud-based solution such as Azure Active Directory for federated authentication. “AD FS is an on-premises server, and as with all on-premises servers, deployments can get out of date and/or go unpatched, and they can be impacted by local environment compromises and lateral movement,” according to the Microsoft advisory. 

Related Posts

About Us
AMI, Inc. it’s a nonprofit organization with a clear mission – to accelerate the digital transformation of small & medium manufacturers.

Let’s Socialize

Popular Post