New post-exploit backdoor called “MagicWeb” used by SolarWinds hackers

APT29, a Russian cyber espionage organization that was behind the devastating supply chain attacks on SolarWinds in 2020, has once again made headlines. APT29 cyberspies have discovered a new post-exploit technique that bypasses authentication, according to a technical document published by Microsoft. The actors were previously followed by Microsoft as Cozy Bear (b), Nobelium (a) and the Dukes (C).

Microsoft reported that hackers were using a new authentication bypass method it named MagicWeb to target corporate networks. Microsoft’s MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) identified MagicWeb on a customer’s computer systems. Using these extremely advanced capabilities, hackers can maintain control over targeted networks even after defenders attempt to kick them out.

It is important to note that this time supply chain attacks are not used by hackers. Instead, they launch MagicWeb using unauthorized administrator privileges. It is a backdoor that secretly adds enhanced access capabilities, allowing the attacker to access a wider range of attacks than just data theft.

For example, attackers can log in as a user to the device’s Active Director. The most recent to be detected and investigated by Microsoft is MagicWeb, one of many sophisticated tools, including backdoors, used by SolarWinds hackers.

Previous Privacy and security issues associated with facial recognition software
Next Debt consolidation in times of uncertainty