Magicweb

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
MagicWeb is a sophisticated malware that was first reported by Microsoft in August 2022. It was developed and deployed by the threat group Nobelium, also known as Cozy Bear or APT29, who are believed to be associated with the Russian Foreign Intelligence Service (SVR). MagicWeb is designed to exploit Active Directory Federation Services (AD FS), enabling the attackers to bypass normal authentication processes and gain persistent access to compromised systems. This malware is built on previous post-exploitation tools like FoggyWeb, which were capable of stealing certificates from AD FS servers. The modus operandi of MagicWeb involves the initial compromise of a network, after which it deploys its highly advanced post-compromise capabilities. Once inside a system, it implants a backdoor on the AD FS server, then uses specially crafted certificates to bypass the usual authentication process. This gives the actors the ability to authenticate as anyone, thereby maintaining persistent access within compromised systems and carrying out espionage activities. The threat actors behind MagicWeb have displayed an ability to change their tradecraft on almost every machine they infiltrate, demonstrating a high level of sophistication. MagicWeb's deployment has been linked to significant cyberattacks, including the SolarWinds breach. Its ability to use highly privileged certifications to move laterally through a network underscores the increasing sophistication of Advanced Persistent Threat (APT) groups. These groups have increasingly targeted technology supply chains and identity systems, posing a significant cybersecurity challenge. The development and deployment of MagicWeb highlight the importance of setting up device validation rules to prevent unauthorized access and the need for continuous vigilance and adaptation in cybersecurity strategies.
What's your take? (Question 1 of 2)
1a086381-203a-4fc0-9f23-8807e85c5bc3 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Magicweb Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a year ago
MagicWeb Mystery Highlights Nobelium Attacker's Sophistication
CERT-EU
3 months ago
Russia's Cozy Bear spotted diving into cloud environments
CERT-EU
6 months ago
Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog
CERT-EU
a year ago
Microsoft warns of rising NOBELIUM credential attacks on defense sector
CISA
3 months ago
SVR Cyber Actors Adapt Tactics for Initial Cloud Access | CISA
CERT-EU
3 months ago
Russian cyberespionage group APT29 targeting cloud vulnerabilities