Magicweb

Malware updated 7 months ago (2024-05-05T02:17:48.002Z)
Download STIX
Preview STIX
MagicWeb is a sophisticated malware that was first reported by Microsoft in August 2022. It was developed and deployed by the threat group Nobelium, also known as Cozy Bear or APT29, who are believed to be associated with the Russian Foreign Intelligence Service (SVR). MagicWeb is designed to exploit Active Directory Federation Services (AD FS), enabling the attackers to bypass normal authentication processes and gain persistent access to compromised systems. This malware is built on previous post-exploitation tools like FoggyWeb, which were capable of stealing certificates from AD FS servers. The modus operandi of MagicWeb involves the initial compromise of a network, after which it deploys its highly advanced post-compromise capabilities. Once inside a system, it implants a backdoor on the AD FS server, then uses specially crafted certificates to bypass the usual authentication process. This gives the actors the ability to authenticate as anyone, thereby maintaining persistent access within compromised systems and carrying out espionage activities. The threat actors behind MagicWeb have displayed an ability to change their tradecraft on almost every machine they infiltrate, demonstrating a high level of sophistication. MagicWeb's deployment has been linked to significant cyberattacks, including the SolarWinds breach. Its ability to use highly privileged certifications to move laterally through a network underscores the increasing sophistication of Advanced Persistent Threat (APT) groups. These groups have increasingly targeted technology supply chains and identity systems, posing a significant cybersecurity challenge. The development and deployment of MagicWeb highlight the importance of setting up device validation rules to prevent unauthorized access and the need for continuous vigilance and adaptation in cybersecurity strategies.
Description last updated: 2024-05-05T01:44:02.323Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Microsoft
Svr
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Magicweb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more