Site icon IT World Canada

Latest Nobelium campaign targets victims via cloud providers and resellers: Microsoft

Graphic of an exclamation mark as a symbol of warning

Source: WhataWin | Getty Images

Infosec leaders should watch for possible network compromises after Microsoft warned that at least 14 cloud service providers and resellers of technology products have been compromised since May by the Nobelium threat group, which, according to U.S. intelligence, is part of Russia’s foreign intelligence service.

Microsoft said these victim firms are part of more than 140 resellers and technology service providers it has notified in the last five months that they have been targeted by Nobelium.

In a blog this weekend Microsoft said Nobelium — blamed for the compromise of Solarwinds’ Orion update mechanism — has been attempting to replicate the tactics it used in past attacks by targeting organizations central to the global IT supply chain.

This time, Microsoft said, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. “We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to their customers’ IT systems to gain access to their downstream customers.”

Among its tactics: Modifying Azure Active Directory to enable long-term persistence and access to sensitive information.

These attacks have been a part of a larger wave of Nobelium activities this summer, Microsoft said. Between July 1 and October 19 it warned 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1st it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” says Microsoft.

These attacks are not the result of a product security vulnerability, Microsoft stressed, but a continuation of Nobelium’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.

“These attacks have highlighted the need for administrators to adopt strict account security practices and take additional measures to secure their environments,” Microsoft said.

Technical guidance released

In addition to the report, Microsoft released technical guidance for resellers, cloud providers and IT teams to blunt Nobelium attacks.

Resellers and cloud providers should verify and monitor compliance with Microsoft Partner Center security requirements, including the use of multifactor authentication to access the Partner Center and for cross-tenant access to customer tenants in Microsoft commercial clouds.

Infosec leaders in businesses and government departments should

1.  Review, audit, and minimize access privileges and delegated permissions.

It is important to consider and implement a least-privilege approach, Microsoft said. That includes prioritizing a thorough review and audit of partner relationships to minimize any unnecessary permissions between an organization and its upstream providers. Remove access for any partner relationships that look unfamiliar or have not yet been audited.

2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies.

MFA is the best baseline security hygiene method to protect against threats. For those who use Microsoft 365 or Azure Active Directory, there’s detailed guidance here on setting up multifactor authentication in Microsoft 365, as well as the guidance on deploying and configuring conditional access policies in Azure Active Directory.

3. Review and audit logs and configurations for all products for adequacy and anomalies.

Nobelium attack characteristics

Microsoft also notes the following specific characteristics of attacks by Nobelium:

 

 

Exit mobile version