A set of recent attacks have been attributed to Nobelium, the same nation-state actor behind the SolarWinds attack in 2020.
The attacks began in May, with Microsoft notifying more than 140 resellers and service providers that were targeted by Nobelium (14 estimated to be compromised), and 609 customers that were attacked over 22,000 times.
The latest attacks on organizations within the global IT supply chain, as reported by Microsoft, are similar to what we’ve seen in the Kaseya ransomware attack in July:
To protect against observed attack tactics of Nobelium, MSPs should strengthen their preventative and defensive security posture by putting a few basic security measures in place, including using multi-factor authentication, applying the principles of least privilege, and implementing a detection and response solution that can help them identify early indicators of an attack in progress.
A key difference in these latest attacks is the type of methods used against victim organizations and service providers. Instead of exploiting a flaw in the remote management and monitoring (RMM) software, as was seen in the Kaseya ransomware attack against MSPs, Nobelium has been reported to use password spraying and phishing to steal credentials and access systems.
In Microsoft’s guidance for MSPs and cloud service providers on handling the recent attacks, it also notes that privileged accounts are being targeted, in particular:
Microsoft has observed Nobelium targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted technical relationships to gain access to downstream customers and enable further attacks or access targeted systems. – Microsoft Partner Network team
After stealing credentials and compromising accounts at the service provider level, Nobelium then leverages privileged access (delegated administrative privileges – DAP) to further downstream attacks through externally-facing VPNs or solutions that enable network access for providers.
These types of identity-based attacks aren’t new, but they still tend to work, as many service providers fail to put into place basic security measures that can deter the success of these attacks:
In addition to taking preventative measures, detecting Nobelium’s noted attack methods in your environment early enough can enable your IT team to quickly respond and contain/block the threat before it results in customer compromise.
Identifying the following attacker behaviors can help you focus on real threats and reduce false positives:
Password Spraying. If protected by only a single factor, the odds of an attacker successfully brute-forcing their way into your systems using this method are high. Blumira identifies and notifies you of any password spraying attempts seen against your accounts, including domain controllers, which indicates an attacker is trying to use methodical methods to access your environment while avoiding detections or lockout protections.
Privileged User Account Changes. Attackers may add users to highly privileged groups, or enable privileged user accounts to gain access to more resources and gain persistence; also known as the different techniques an attacker may use to maintain their foothold on your systems (despite restarts, changed credentials or other interruptions that could cut off their access). Blumira detects privileged account activity that could be suspicious so you can investigate further.
Anomalous MFA Login Activity. Monitoring your MFA applications for unusual activity can help you detect potential attacker behavior early. For example, Blumira detects and notifies your IT team of MFA account lockouts, attempted logins from outside of the U.S., unfeasible or geo-impossible logins by the same user across different locations within a short period of time, and much more.
This is especially key to monitor as Microsoft has noted that “Nobelium has been observed authenticating to accounts from anomalous locations that might trigger impossible travel analytics or fail to pass deployed conditional access policies.”
Credential-Stealing Activity. As noted above, Nobelium may attempt to steal credentials to gain access and move around an environment laterally. Blumira detects any credential-stealing activity and alerts you to the IP address and device it originates from, such as behavior that matches known hacking tools used to elevate privileges on a targeted host (e.g, Mimikatz pass-the-hash).
This is critical to monitor and detect in a timely manner, as Microsoft has said that “Nobelium has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications…”
See additional resources for logging this type of activity, including:
Blumira’s cloud SIEM and security operations team can help MSPs protect themselves and their customers against the many attack methods of Nobelium and other threat actors. We provide:
Learn more about Blumira’s partners program and reach out to us if you’d like to sign up.