Microsoft has discovered a large-scale spear-phishing campaign being conducted by the Russian advanced persistent threat (APT) group that has led to the breach of 3,000 email accounts across 150 organizations.
A Russian-based group called Nobelium, allegedly behind the SolarWinds attack, is at it again with a sophisticated phishing campaign aimed at delivering malicious URLs with payloads enabling network persistence so the actors can conduct further nefarious cyber activities.
This time, Nobelium gained access to a Constant Contact account of the United States Agency for International Development or USAID. This US government agency advances US national security and economic prosperity as a means to demonstrate American generosity.
In a recent email, Constant Contact said it was aware that one of its customers' "account credentials" was compromised and is being used by a malicious actor to access the customer's Constant Contact accounts. "This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement," said Constant Contact.
The president of Virtual Systems (VS), a Microsoft Silver partner and cloud solution provider based in Grand Rapids, Michigan US, said the attack shows how state-sponsored hackers leverage upstream vendors to obtain government/customer data. "I don't believe these attacks will curb cloud migrations, but I see much better due diligence being done by businesses and government agencies as they select partners, and that's a good thing," said VS. "The bar is being raised for service providers to adhere to the highest requirements for security and compliance, and that's good for everyone."
Suspicious email messages claimed, “Donald Trump has published new documents on election fraud.” Within the messages is a button to ‘click to view’ the documents. A very enticing lure to many. If the recipient clicks the link in the email, they are directed to the legitimate Constant Contact service, and then redirected to a URL under the control of Nobelium that delivers a malicious ISO file. Within the ISO file is a decoy document, a .lnk shortcut, that executes a Cobalt Strike Beacon loader, and a malicious DLL file that is a Cobalt Strike Beacon loader and backdoor called NativeZone by Microsoft.
Once the payloads are deployed, Nobelium gains persistent access to compromised systems and can subsequently complete further objectives such as lateral movement, data exfiltration, and the delivery of additional malware.
This new SolarWinds attack, which uses a compromised Constant Contact account credentials, is yet another stark warning to MSP/MSSPs and technology providers that they need to better protect account credentials.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice, however, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA.
We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Sources
https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/
Comments