Solving one of NOBELIUM’s most novel attacks: Cyberattack Series

Our story begins with eight Microsoft Detection and Response Team DART analysts gathered around a customer’s conference room to solve a cybersecurity mystery. Joined by members of the customer’s cybersecurity team, they were there to figure out how a Russia-based nation-state hacking group known ...

Solving one of NOBELIUM’s most novel attacks: Cyberattack Series

Our story begins with eight Microsoft Detection and Response Team DART analysts gathered around a customer’s conference room to solve a cybersecurity mystery. Joined by members of the customer’s cybersecurity team, they were there to figure out how a Russia-based nation-state hacking group known ...

Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers

The threat actor behind the SolarWinds supply chain attack has been linked to yet another "highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. Dubbed MagicWeb by Microsoft's threat intelligence teams, the development reiterates...

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone

Updated August 26, 2022: Added instructions to enable collection of AD FS event logs in order to search for Event ID 501, and added a new resource for AD FS audit logging in Microsoft Sentinel. Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, whi...

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone

Updated August 26, 2022: Added instructions to enable collection of AD FS event logs in order to search for Event ID 501, and added a new resource for AD FS audit logging in Microsoft Sentinel. Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, whi...