Nobelium Espionage Campaign Persists, Service Providers in Crosshairs
In
an advisory released on October 24, Microsoft announced ongoing campaigns it
has attributed to the Nobelium state-sponsored threat group. IBM X-Force tracks
this group as Hive099. If the name sounds familiar, that’s because it is the
same group that targeted SolarWinds in 2020. The U.S. government has identified
Nobelium as part of Russia’s foreign intelligence service known as the SVR.
Microsoft
warns that the activity they are seeing appears to focus on cloud service
resellers, technology providers, and their downstream customers in Europe and
the U.S. organizations are urged to take notice and act to mitigate the risk of
compromise.
Abusing Digital Trust Relationships
The
ongoing wave of attacks is designed to abuse trusted relationships, such as
delegated administrative privilege (DAP). Those can enable attackers to move
through the channels that underpin provider/customer relationships. With the
goal of compromising accounts at the service provider level, activity has
persisted through summer of 2021 and does not appear to exploit any specific
vulnerabilities. Instead, the attackers are reported to be using a toolkit of
malware, password spraying, API abuse, and spear-phishing to obtain stolen
credentials and infiltrate networks with privileged access.
These
attack tactics are not novel, and organizations can arm themselves better to
reduce the chance of compromise by using multi-factor authentication. Further mitigation
can come from restricting the use of privileged access by employees and third
parties alike. It is also recommended to review DAP and terminate unused access
or places where suspicious activity may have been logged.
Continue to this blog here.
Comments
Post a Comment