Microsoft Security Researchers have identified and named a new vulnerability they are coining “MagicWeb” which can be potentially found in organizations who have deployed Active Directory Federation Services (AD FS). MagicWeb grants the ability to obtain and maintain persistent access to the environment. NOBELIUM, the threat actor group believed to be behind MagicWeb, was responsible previously for a similar tactic with the release of “FoggyWeb” in September of 2021. MagicWeb requires highly privileged credentials and/or administrative permissions on the AD FS servers to be deployed. Once deployed, the vulnerability will have the ability to authenticate as anyone to the relying parties configured in AD FS.
Microsoft recommends protecting your AD FS environment with the same criticality as Domain Controllers as it provides authentication to services in your environment.
There are few methods to determine if your AD FS environment has been compromised and can be found here. However, It is highly recommended to migrate from AD FS to modern Azure Active Directory for the Identity Provider (iDP).
Please contact Service@helient.com should you need any assistance.