Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows

Caute_cautim — Mon, 09 Oct 2023 10:17:36 GMT

Hi All

"Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network.

As a state-sponsored cyberespionage actor, APT29 employs the new capability to hide their presence on the networks of their targets, typically government and critical organizations across Europe, the U.S., and Asia."

https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/

An interesting read on this attack.

Regards

Caute_Cautim

Re: Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows

denbesten — Tue, 30 Aug 2022 14:32:38 GMT

Saw that. "replaces a legitimate DLL used by ADFS with a malicious version" is the bit I can not get past. If the bad actor has gained the necessary permissions to replace a DLL, it seems like we have already reached "game over". Does not really matter what they do after that. The machine is compromised and all data processed by it needs to be presumed disclosed.

topic Re: Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows in Threats

Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows

Re: Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows