Czarina Grace Tech 09.29.2021 04:Sep AM EDT

New Microsoft Malware Can Steal Your Credentials, Sensitive Info: How to Stop FoggyWeb From Attacking You

Remember the SolarWinds hack? Microsoft recently discovered another piece of malware used by hackers during the attack. The FoggyWeb malware is a utility tool that helps hackers steal user data, access admin-level permissions, and stay inside networks even after clean-up.

Business industries and companies are often warned about cybersecurity risks on the internet. One of the most iconic example is the SolarWinds software supply chain, which was downloaded by 18,000 customers.Although the number of customers that were actually attacked were less than 100, it was still a concerning development.

Ongoing research is trying to unpack the scary details of the malware attacks.

Microsoft Warning: Nobelium Modules

According to ZDNet, the U.S. and U.K. initially blamed the Russian Foreign Intelligence Service (SVR) hacking unit APT29, Cozy Bear, and The Dukes. Security researchers later discovered that these cyberattacks started from the Nobelium attack group.

Microsoft discovered how Nobelium had different malware components like GoldMax, GoldFinder, and Sibot. Nobelium was later linked to groups like Sunburst/Solarigate, Teardrop, and Sunspot.

The most recent malware discovered is called FoggyWeb. It is a backdoor system used by attackers on a targeted server that was already compromised.

New Microsoft Malware Can Steal Your Credentials

ZDNet explained how FoggyWeb uses several tactics to steal network usernames and passwords from the device. Hackers later get admin-level access to the Active Directory Federation Services (AD FS) servers, where they could hide corrupted code, steal secondary user identity, access management infrastructure, and control user access to company apps and resources.

Even worse, FoggyWeb lets hackers hide inside the network during system clean-up, keeping hackers safe from anti-virus detections.

Ramin Nafisi, a member of the Microsoft Threat Intelligence Center, said that "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components," per ZDNet.

FoggyWeb is a passive and highly utilized backdoor tool used by many hackers. Unfortunately, as previously mentioned, the malware is extremely hard to to detect.

Microsoft recommends that potentially affected customers should take three key steps to ensure their protection:

Auditing on-premise and cloud infrastructure for configurations and per-user and per-app settings.
Removing user and app access, review configurations, and re-issue new, strong credentials.
Using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers.

Other Cybersecurity Threats You Should be Aware of

Aside from FoggyWeb, two hacking strategies are rapidly gaining popularity in these last few months. Users and business companies are warned to remain conscious and careful about TangleBot and Phishing Scams.

TangleBot: An Android malware that could access user microphones, cameras, SMS, call logs, internet, and GPS without their awareness. There are nine ways to prevent TangleBot from infecting a device.
Phishing scams and email attacks: Security company Tessian warned about hacking strategies that exploit employee accounts to access the company website. Here are eight warning signs that your device could be in danger.

Editor's note: An earlier version of this article stated that 18,000 customers were targeted in the SolarWinds Supply Chain issue. It has since been corrected that that number only reflects the number of customers who donwloaded a compromised version of the software, but it is not the number of people who had their information leaked.