The attackers responsible for the SolarWinds supply chain attack have added a new arrow to their quiver of misery: A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.
Researchers at Microsoft observed the Russia-backed Nobelium APT using the backdoor after gaining administrative privileges to an Active Directory Federated Services (AD FS) server. With that privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate. Like domain controllers, AD FS servers can authenticate users. MagicWeb facilitates this on the part of the threat actors by allowing manipulation of the claims passed in authentication tokens generated by an AD FS server; thus, they can authenticate as any user on the network.
