Nobelium Hackers Exploit Admin Credentials

5 mins to read
nobelium hackers

We all remember the SolarWinds attack taking up residency in the media headlines back in 2020. If you don’t remember it, in short, the company was targeted by the Nobelium hackers group. This attack was one of the most noteable of the last year and triggered a supply-chain incident among organizations. While thousands downloaded the malware, SolarWinds announced “the actual number of customers who were hacked through SUNBURST to be fewer than 100.” This number is consistent with estimates previously released by the White House.

Well, the Nobelium hackers are back at it again, according to Microsoft. Nobelium has reportedly uncovered a new technique allowing the group to abuse admin credentials via MagicWeb malware that exploits on-premises Microsoft Active Directory. In the world of cloud, this would be a very dangerous situation, but more on that later.

This abuse is a bypass, coined ‘MagicWeb’ that compromises Microsoft’s Active Directory Federation Server. Microsoft further details that, “MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.”

As many organizations balance being in the cloud and on-prem, this incident highlights the inherent weakness of taking a hybrid approach to Azure Active Directory. Unfortunately, a hybrid approach increases your organizations attack surface and is more to manage — a network perimeter and identity as the perimeter. The SolarWinds breach showed us the Nobelium group could move from on-prem to cloud, so this latest attack is just an extension of their already advanced capabilities.

So what can your organization do right now to mitigate this risk? Microsoft recommends isolating Active Directory FS infrastructure, limiting admin rights, and migrating to Azure Active Directory. We back this advice, but think things need to be taken a step further.

The incident makes the case for a zero trust architecture, which incorporates multi factor authentication, least privilege, least access, and the need for each identity and identity transaction to be continually monitored and verified.

Identity the Main Player in Cloud Data Breaches

nobelium hackers

Identity-related data breaches are on the rise and ubiquitous, with 84% of surveyed companies reporting one in the previous year alone, according to the Identity Defined Security Alliance. This majority number is consistent with Gartner’s forecast that by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges. It is safe to say identity and access management demands to be at the core of cloud security strategies.

The security paradigm in the cloud has changed and it’s important for companies to update their strategies accordingly


“An organization needs to know their identities and to continuously monitor them. It is critical for a company to know where their data is, who has access to it and what a user does with the data to ensure an organization is always at least privileged and at least accessed,” said Eric Kedrosky, Director of Research and CISO at Sonrai Security.

Of course, identity is just one piece of the pie, as attackers can come in through vulnerability exploits, but exploiting identity is almost always involved on the way to sensitive data. Having strong identity and entitlements management will mitigate the severity of breaches. 

nobelium hackers

As Microsoft recommends, if you’re an Azure customer, utilizing Active Directory is a great step. However, AD is truly identity management and it leaves out the in-depth visibility and regulation of identity permissions and access enterprises need, especially when considering machine identities.

How Do I Manage Identity in the Cloud?

A strong program begins with getting an inventory of all the identities in your environment – this includes person identities and non-person identities. Not only getting an initial inventory, but maintaining one as people come and go and cloud resources are made and deleted. The next step is where leveraging a tool like Cloud Infrastructure Entitlements Management solutions are necessary. You must understand the effective permissions of all identities. This is not as simple as evaluating a single policy or calling an API. Your organization needs full visibility into each and every permission and privilege every identity holds, and the true full scope of their abilities. 

Most organizations are blind to the identity and permission risks living in their cloud due to sheer volume and ephemeral nature of cloud operations. Your organization will want to pay close attention to privileged identities like those with admin rights – these are the identities that can cause major damage and are seen as ideal targets to attackers (like this Nobelium hackers case.)

Once you have a true picture of effective permissions, your team is able to detach unnecessary privileges and remediate identity misconfigurations like Separation of Duties, toxic combinations, or privilege escalation risks. Understanding effective permissions should enable your team to meet its respective goals or policies, like Least Privilege, for example. Maintaining this security posture requires continuous monitoring. Identity and data access and activity should be monitored at all times across your cloud(s). Again, this is a tall order without automated tools like CIEM. 

Identity, One of Four Pillars

In the case of this MagicWeb exploit, a CIEM tool would have come in handy. Not only does the solution entirely prevent security incidents or at least mitigate them, it provides excellent continuous monitoring to detect anomalous behavior like sudden access rights.

Identity and its counterpart, data, should take center stage of any cloud security strategy, but total cloud security doesn’t end there. The four major pillars relating to the cloud, identity, data, platform, and workload, do not function in isolation. In fact, they all influence and connect to each other, just consider a workload exploit (workload) with a highly privileged identity (identity) on it with access to a datacenter (data) containing PII with logging not enabled (platform.) We specialize in offering a cloud security platform locking down all four pillars, explore our platform if you’d like to learn more.