APT29, a Russian cyberespionage organisation that was behind the damaging supply chain attacks on SolarWinds in 2020, has made headlines once more. The APT29 cyberspies have discovered a new post-exploitation technique that bypasses authentication, according to a technical paper released by Microsoft. The actors were previously tracked by Microsoft as Cozy Bear (b), Nobelium (a), and the Dukes (C).
Microsoft reported that the hackers are using a fresh method of bypassing authentication that it has named MagicWeb to target corporate networks. Microsoft’s MSTIC, Microsoft 365 Defender Research, and Microsoft Detection and Response Team (DART) identified MagicWeb on a client’s computer systems. With the use of these extremely advanced capabilities, the hackers may maintain control over the targeted networks even after the defenders make an effort to kick them out.
It’s important to note that this time, supply chain attacks are not being used by the hackers. Instead, they are launching MagicWeb by using unauthorised admin privileges. It is a backdoor that covertly adds enhanced access capabilities, giving the attacker access to a wider range of attacks than just data theft.
For instance, the attackers are able to sign in as any user to the device’s Active Director. The most recent one to be detected and examined by Microsoft is MagicWeb, one of many sophisticated tools, including backdoors, employed by SolarWinds’ hackers.
