Alert:
New Malware called “FoggyWeb” enables hackers to steal Admin Credentials

September 30, 2021

Urgency/Severity: CRITICAL

Issue / Vulnerability

Digitaltrends.com summarizes the issue as follows:

Microsoft has recently discovered another type of malware, named FoggyWeb by Microsoft, that hackers are currently using to remotely steal network admin credentials. The credentials allow the attacker group, which the company has called Nobelium, to hack into admin accounts of the Active Directory Federation Services’ (AD FS) servers and control users’ access to various resources. It is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.

Microsoft claims that this is the same group behind the SolarWinds software supply chain attack that was revealed in December.

The malware acts as a backdoor for the hackers and facilitates their remote theft of tokens and certificates from Microsoft’s identity platform. Microsoft defines FoggyWeb as a “passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.”


What should I do?

Microsoft also recommends to review AD FS Server configuration and implement changes to secure these systems from attacks.

You may also read the mitigation, detection, and Indicators of compromise on this link:

Please let us know if you need further help. Our team is available to assist in doing the mitigation recommended by Microsoft.


Contact Cornerstone.IT by phone 646-530-8900 or email [email protected] – we can help you mitigate these issues.

Cornerstone.IT