Microsoft has unveiled a new set of malware, known as MagicWeb in the wild and has concluded that the said malicious tool is the work of state-funded hacking group Nobelium that changes its trade crafts as per the machine status that they fraudulently access through cyber attacks.
Nobelium, also the hacking group behind SolarWinds, is currently highly active on the dark web targeting government organizations, Non-profit organizations and think tanks working in the United States, Europe, and Central Asia.
The Redmond giant has been tracking Nobelium since May 2021 or as soon as they launched a mass- email campaign in disguise of a US-based organization to distribute malicious URLs to CSPs, MSPs, and IT firms.
Now the threat analysis group of the Satya Nadella-led company has tracked MagicWeb after it infected a high-profile customer of MS Office 365. Upon receiving a request, the windows OS giant sent its Detection and Response Team that traveled on-site to start an in-depth inquiry and analysis. After which, it discovered a backdoor in Active Directory software that led to the infection by bypassing the valid authentication procedure.
Security researchers from the company suggest that the only way to defend against MagicWeb is to keep a tab on the organization’s authentication flow on who logs and maintains the AD Federation Services and to thread all IdPs as Tier 0 assets. Following basic security hygiene and making multi-factor authentication a mandatory procedure will also help keep the malware at bay.