IT companies are making up the majority of organizations being targeted amid new activity by the group behind last year’s SolarWinds supply-chain attack, with at least one victim coming from Microsoft’s customer support ranks.
On 25 June 2021, the Microsoft Threat Intelligence Center said it was monitoring new activity from the Nobelium threat actor, which Microsoft is calling the group, with the vendor observing password spray and brute-force attacks, among other potential methods and tactics.[1] While the recent activity was mostly unsuccessful, it was targeted at specific customers, mostly IT companies, which comprised 57% of total targets. The IT segment is followed by government, which comprised 20% of targets, and smaller percentages for non-governmental organizations and think tanks, as well as financial services. In total, 36 countries were targeted, but the activity was largely focused on US interests, which claimed about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada.
Although Microsoft claims the majority of targets were not successfully compromised, the company said it was aware of at least three compromised entities to date. “All customers that were compromised or targeted are being contacted through our nation-state notification process,” the Microsoft Security Response Center team said in a blog post. As part of Microsoft’s investigation into the latest activity by the Nomelium threat actor, Microsoft revealed it had also detected information-stealing malware on a machine belonging to one of its own customer support agents with access to basic account information for a small number of its customers. “The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” the company said. “We responded quickly, removed the access and secured the device. “The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our zero trust ‘least privileged access’ approach to customer information. “We are notifying all impacted customers and are supporting them to ensure their accounts remain secure,” it added.
Microsoft stressed that the latest activity by the threat actor reinforces the importance of best practice security precautions such as zero trust architecture and multi-factor authentication.
US cyber security firm FireEye revealed late last year it had become a victim of a “nation state” cyber-attack by a "highly sophisticated threat actor." The breach was part of a much larger attack carried out through malicious updates to a popular network monitoring product and impacted major government organizations and companies. The attack involved hackers compromising the infrastructure of SolarWinds, which produces a network and applications monitoring platform called Orion, and then using that access to produce and distribute trojanized updates to the software's users.
By January 2021, anti-malware software vendor Malwarebytes also became swept up in last year's attack on SolarWinds. The US-based vendor admitted it received notices of suspicious third-party activity from the Microsoft Security Response Center on 15 December.
According to Malwarebytes, these reflected tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks, reportedly a hacking group linked to the Russian government.
It was revealed in May of this year the threat actor behind the SolarWinds hack had led a new targeted campaign spanning nearly 3,000 emails, with the group going after more than 150 organizations encompassing government agencies, think tanks, consultants and non-governmental organizations. It should be noted that this new attack activity reported by Microsoft is unrelated to the previous 'SunBurst' attack on SolarWinds.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.arnnet.com.au/article/689368/it-companies-bear-brunt-of-new-solarwinds-hacker-attacks/
Comments