Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group. The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, …
This isn't Active Directory. Its Federation Services, the FS part in ADFS. They want you moving to Azure AD which has the functionality of ADFS for example AD connect.
Obvious reason why they want that and are not providing a similar solution on prem, its not over security concerns.
For Azure, there's actually two different things:
Azure ADFS, which is essentially a hosted version of ADFS that one your AzureAD tenant. If someone is moving from On-prem ADFS to Azure, they'll support configuring it, but not really recommending it because from what I was told, it's as much of a pain to setup and manage as the on-prem product.
AzureAD Connect, which is different enough that it's a separate product and SKU, but included with the AzureAD subscription. It also has hooks (more or less) built in for most products that support the SAML SSO specs.
Microsoft still has support for ADFS in Server 2019, but they really are pushing companies to move to Azure, because 'recurring revenue'.
From the article: More recently the group succeeded in a phishing attack on Microsoft's support desk, retrieving private customer data which the company confirmed included "information regarding... Microsoft Services subscriptions" and was used "in some cases" to launch further "highly-targeted attacks as part of [a] broader campaign."
does 'a broader campaign' include (at times) a dozen or more (lame) spear-phishing e-mails per day with the usual payloads and malicious links? The frequency of these things has gone up 10 fold over the last couple of weeks... on the e-mail address I use with my (soon to expire, and I may not renew) MSDN subscription.
(good thing I do not open the obvious malicius attachments nor view as HTML on a windows-based mail reader)
The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, exfiltrating credentials, configuration databases, decrypted token-signing and token-decryption certificates, and to download additional components to set up a permanent backdoor and attack the network more widely.
And what would Microsoft like to do with Variants that enhance networks widely everywhere?
That wouldn't be an attack whenever Virtually a Future AIdDevelopment for toasting and roasting and hosting live beta testing with Microsoft AD FS servering ACTive Assets for Browser Deployments/Systems Engagements ......... A Heavenly Captivating Capture to Surrender and Submit Wholeheartedly to for the Benefits Derived from an Immaculate Satisfaction Borne of the Bond Presenting and Pioneering Perfect Happiness.
I Kid U Not :-)
Would that require one make and/or take a Quantum Leap ‽ . :-) for Ennobling and Enabling Nobel Prize Territory Gains ........ Providing Genius Advantage ‽ .
El Regers would certainly surely like and love to know ........ given what is So Clearly Offered ‽ .
"remove unnecessary protocols and Windows features."
So that is over to MS to actually supply an out of the box version of Windows Server that has nothing but the basics installed and active and complies with a basic security model without having to apply a bunch of group polices.
Before you say Core is cool, it still has the print spooler service running and ton of other stuff that even MS does not know what would break if they turn it off.
Windows needs a ground up x64 or even better a proper 64 bit rewrite with out all the backwards compatibility. Yes it is a pain but even all the Linux distros have their bundled detritus and as Mac users have found, if it is used by enough people the bad guys will be interested and if it is one guy supporting that open source library against a nation state group of hackers I know who will come out top.
We use OpenVMS which is stable and does stuff and has never been hacked by anyone because it isn't worth the effort, but support is a err yes it is supported by a company that charges, not sure how they would fare against Nobelium.
"Before you say Core is cool, it still has the print spooler service running"
No it doesn't. I have a core print server and had to add the print server feature. Until you do this, the spooler service is not in the registry.
A ground-up rewrite of Windows would just open an entire new, and hereto unknown, set of vulnerabilities for the Bad Guys to dive into. This is Microsoft, it would happen. Might even be "worse" on the other side than what we've got now, and would take another 10 years to get back to here. This is what happens when the Marketing department gets equal footing to the Engineering department.
Maybe it's time to move back to Banyan Vines? lol.
Maybe remove the networking stack, that would secure it........
Just thinking of the possibilities.
Whatever, Microsoft are pushing heavily to get people onto Azure AD. There goal is everything subscription, including the directory and as much as possible hosted in Azure. That way there is absolutely no possibility of avoiding licensing costs, making do with older hardware etc.
The goal has been clear for some years with the way Exchange has morphed into Exchange Online and the Office 365 (now M365).
They wont deprecate on-prem AD for some time to come but eventually the point will be reached where you will be unable to do anything without an Internet connection and Azure AD.
"They wont deprecate on-prem AD for some time to come ... "
They just haven't released the malware for it yet - malware which will be so horrendous and do such awful things, that the only advice MS will be able to give will be "abandon running AD on-prem and move to Azure AD, ASAP". It will probably exploit extremely delicately crafted holes that only MS knows about. But that's a few years out. For now, we get to continue to (mostly) own our directory.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
