A new campaign of malicious activity from the same cyber criminal group that caused widespread disruption after breaking into the systems of various organisations via a tainted upgrade to the SolarWinds Orion platform serves as a reminder to defenders that malicious actors remain highly-motivated to seek out new attack vectors as their old ones are closed off.
News of the campaign first emerged just prior to the weekend of 26-27 June 2021, when Microsoft’s Threat Intelligence Centre published a new disclosure announcement revealing it had been tracking activity originating from the SolarWinds group – to which it attributes the name Nobelium – exploiting Microsoft’s support capabilities.
Microsoft revealed that as part of its investigation into new Nobelium activity, it found information-stealing malware on a machine belonging to one of its customer support agents who had access to basic account information on some customers.
“The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device,” said the Microsoft team.
“The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our zero-trust ‘least privileged access’ approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.”
Microsoft said it got wise to Nobelium’s compromise of its staffer’s system after tracking a series of crude and mostly unsuccessful attacks involving attempts at password spraying and brute-force attacks. It believes three organisations were compromised.
“This type of activity is not new, and we continue to recommend everyone take security precautions such as enabling multi-factor authentication to protect their environments from this and similar attacks,” said Microsoft. “This activity reinforces the importance of best practice security precautions such as zero-trust architecture and multi-factor authentication and their importance for everyone.”
Read more about recent cyber attacks
The intel team said the activity was clearly directed at specific sectors, primarily technology and IT companies, government bodies, and a small number of non-governmental organisations (NGOs), thinktanks, and financial services organisations. Nearly half of the attempted attacks were on US-based organisations, about 10% in the UK, and smaller numbers in Canada and Germany.
Ilia Kolochenko of ImmuniWeb said that the exposure of Nobelium’s campaign was compelling evidence that overall cyber security hygiene is, to some extent, deficient.
“Password spraying and credential stuffing attacks are preventable by enabling MFA, restricting access to the accounts from specific networks or at least countries, and can be easily spotted by anomaly detection systems,” he said. “Moreover, a properly implemented dark web monitoring process should alert organisations quickly about stolen credentials to be urgently decommissioned. These are the very basics of information security.”
Kolochenko urged organisations to invest in their cyber baselines and implement consistent strategies in order to avoid technically unsophisticated attacks such as Nobelium’s, otherwise they will continue their surge.
Comforte’s Trevor Morgan said Nobelium’s continued activity should not come as a surprise given the group’s recent history of attacks.
“Given that the large percentage of their attacks are focused on tech companies and governmental agencies, these organisations have a high level of motivation to move proactively beyond traditional perimeter-based and user access protection methods in an attempt to head off future attacks,” he advised.
However, Morgan added, a more pressing issue for many organisations was that highly-sensitive information tends to also be highly valuable within corporate workflows for activities such as data analytics and development testing, so data-centric security tools – such as tokenisation – should also be considered.