The group of hackers responsible for the SolarWinds software supply chain attack have continued to seek out ways of indirectly gaining access to enterprise networks by targeting IT and cloud service providers (CSPs) that have admin rights on their customers' systems through virtue of their business relationship.
In a new report this week, Microsoft warns that since May, the group known as Nobelium has targeted over 140 cloud service resellers and technology providers and has succeeded to compromise as many as 14. Nobelium, also known as APT29 or Cozy Bear, is considered the hacking arm of Russia's foreign intelligence service, the SVR.
"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling -- now or in the future -- targets of interest to the Russian government," Tom Burt, corporate vice president for Customer Security & Trust at Microsoft, said in a blog post.
Compromise one to compromise many in the supply chain
Supply chain attacks can come in many forms. They can involve Trojanized software updates like in the SolarWinds, CCleaner (Winnti), NetSarang (ShadowPad) or M.E.Doc (NotPetya) incidents or can involve the abuse of privileged access granted to external contractors, business partners, or IT services providers.
The 2013 credit card breach at Target traced back to the compromised credentials of an HVAC subcontractor. In the past several years, many managed services providers (MSPs) around the world were targeted by ransomware groups to abuse their access to corporate networks.
While security experts have long warned about supply chain risks, enterprises have lagged behind putting the necessary controls and monitoring in place to detect them.
Part of why such attacks can be a big blindspot is because defending against them requires a combination of technologies, including up-to-date IT asset and software inventories, logs analysis, behaviour monitoring, network traffic and credential use, implementing principles of least privilege for accounts and software, multi-factor authentication and more. It's not as easy as patching a vulnerability or deploying endpoint malware detection.
In fact, most of the Nobelium attacks that Microsoft has seen do not exploit any vulnerability. Instead, the group uses well-known techniques like spear phishing, access token theft, unprotected API abuse, and password spraying (i.e., trying common passwords against a list of usernames present in the system). In fact, one successful supply chain attack can collect credentials for additional supply chain attacks.
In one case, the Microsoft researchers traced a Nobelium attack through four distinct providers before reaching a downstream customer. The group gained access to a cloud services provider and launched a spear-phishing attack against an MSP. With the credentials collected from the MSP they jumped to a different cloud service provider where they exploited an AD Azure trust relationship to access an IT provider and finally jump to the end victim's network.
"By stealing credentials and compromising accounts at the service provider level, Nobelium can take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access," the researchers warned in an advisory.
The hackers are very adept at researching and understanding the business and access relationships between various services providers, subscription resellers, and their customers or partners. The downstream organisations that eventually get compromised are carefully selected based on their value to intelligence collection efforts.
"Microsoft assesses that organisations, such as cloud service providers and other technology organisations who manage services on behalf of downstream customers, will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures," the company said.
Nobelium behaviours and characteristics
According to the company, behaviours and characteristics common to Nobelium intrusions including the leveraging of anonymous infrastructure, which may include low-reputation proxy services, cloud hosting services, and TOR, to authenticate to victims.
Nobelium has been observed leveraging scripted capabilities, including but not limited to RoadTools or AADInternals, to conduct enumeration of Azure AD, which can result in authentication with user agents of scripting environments.
In addition, Nobelium has been observed authenticating to accounts from anomalous locations that might trigger impossible travel analytics or fail to pass deployed conditional access policies, alongside modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications, and creation of additional service principal credentials.
In one incident, MSTIC observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premises.
Furthermore, Nobelium has demonstrated an ongoing interest in targeting privileged users, including Global Administrators. Security of at-risk organisations is greatly enhanced by prioritising events that are detected on privileged accounts.
Nobelium is frequently observed conducting activities consistent with intelligence collection. Routinely monitoring various log sources for anomalies consistent with data exfiltration can serve as an early warning for compromise.
Organisations previously targeted by Nobelium might experience recurring activity and would benefit from implementing proactive monitoring for new attacks.
How to mitigate Nobeliums supply chain attacks
Microsoft released specific guidance for partners and resellers operating on its cloud platforms. The Microsoft Partner Center security requirements include using multifactor authentication and conditional access policies for cross-tenant access, as well as monitoring the Partner Center activity log for any suspicious user activities, high privileged user creations, and role assignments and so on.
More generally, all partners are advised to remove delegated administrative privileges that are no longer in use. End customers provide DAP to their services providers to manage their subscriptions on their behalf. Microsoft plans to introduce a tool that will help partners discover unused DAP connections as well as review how their active DAP connections are being used.
Downstream customers should also review, audit and minimise access privileges and delegated permissions they've granted to partners as well as review all admin accounts and the devices authorised for MFA use on those accounts.
"In addition to using the delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants," Microsoft said. "We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well-governed and have least-privilege access in your tenant. Microsoft recommends against the use of 'shared' administrator accounts."
Azure AD sign-ins and configuration changes should be reviewed periodically through the Azure AD sign-in logs, audit logs and the Microsoft 365 compliance centre. Organisations should understand the logging options available to them on their cloud platforms, as well as ask the partners that manage such services for them about their own logging policies and use.
Microsoft has also published on GitHub detections and hunting queries for Azure Sentinel, as well as detections for Microsoft 365 Defender and Microsoft Cloud App Security that can be used to detect some of the behaviour and techniques associated with supply chain attacks such as those performed by Nobelium.
Error: Please check your email address.
Tags cyber securityCloud
- Rebranded Ransomware Group Sabbath Hitting Hospitals and Schools - JD Supra - December 3rd, 2021
- This 10TB cloud storage is cheaper than buying a Starbucks but it ends today - TechRadar - December 3rd, 2021
- Crypto Promoter Charged With Scamming Investors Out of Millions | Chief Investment Officer - Chief Investment Officer - December 3rd, 2021
- Coevolve announces important new hires and expansion in the European market - EnterpriseTalk - December 3rd, 2021
- Top trends in tech transformation - Lexology - December 3rd, 2021
- Verint Announces Strong Third Quarter Results, Raises Guidance and Three-Year Targets - marketscreener.com - December 3rd, 2021
- Network monitoring makes the cloud Connection | Daily News - IBC365 - December 2nd, 2021
- Let's Talk About IT Ep. 23 The Transformation of the DOD in the Cloud - FedScoop - December 2nd, 2021
- Key features of the newly launched Virto Commerce Cloud - AppleMagazine - December 2nd, 2021
- Cloudbazaar 2021 Brings Together Internet Leaders To Discuss The Future Of E-commerce - Yahoo Finance - December 2nd, 2021
- gotomyerp Co-founder And CEO, Robert Eppele, Has Been Named One of the 10 Best Inspiring Leaders of the Year 2021 by CIO Bulletin - PR Web - December 2nd, 2021
- Brighton and Hove News Brighton tech business wins national award - Brighton and Hove News - December 2nd, 2021
- Qatar among the biggest adopters of cloud in region - The Peninsula - December 2nd, 2021
- Lost SEO traffic in 2021? Here are 3 potential reasons why (and how to recover your rankings heading into 2022) - Search Engine Land - December 2nd, 2021
- $3.98 for 10TB online is what the best Cyber Monday cloud storage costs and it's exclusive to TechRadar - TechRadar - December 2nd, 2021
- Explore cloud-native vs. cloud-based vs. cloud-enabled apps - TechTarget - November 28th, 2021
- Clevelands vision for Blockland has stalled. Could Northeast Ohio still be a hub for blockchain? - cleveland.com - November 28th, 2021
- gotomyerp Has Been Listed As One Of The Top 50 Best Companies Of 2021 By The CEO Views - Longview News-Journal - November 28th, 2021
- Lumberjacks honor McPhail with jersey retirement - and 15th-straight win - St. Cloud Times - November 28th, 2021
- Accenture to Drive Organon's ERP Transformation with SAP on AWS - Inside SAP Magazine - November 28th, 2021
- FlashDrive Automates The Process Of Hosting Apps for Businesses in A Revolutionary Way - Yahoo Finance - November 24th, 2021
- The cloud complexity storm & changing organizational dynamics of IT Highlights from VotE: Cloud, Hosting & Managed Services - S&P Global - November 24th, 2021
- Adobe : How to send documents and information with enhanced security - marketscreener.com - November 24th, 2021
- Axtria to Lead Several Events on the Future of Digital Transformation, Product Design, and Product Leadership Opportunities for Women at NASSCOM... - November 24th, 2021
- HEALTHCARE TRIANGLE, INC. Management's discussion and analysis of financial condition and results of operations. (form 10-Q) - marketscreener.com - November 24th, 2021
- Great Tips For Web Optimization That Can Also Help In Mobile Application Development - WhaTech - WhaTech - November 24th, 2021
- Udacity to host international STEM Forward with Women conference featuring industry leaders from Microsoft, Saudi Telecom, HSBC, Sky, KPMG & more... - November 24th, 2021
- How to Preserve and Share Grandma's Recipes - WIRED - November 24th, 2021
- Google Cloud partially fixes load balancer SNAFU that hit Discord, Spotify, others today - The Register - November 20th, 2021
- TI will splash out up to $30B on wafer fabs - The Register - November 20th, 2021
- Intel audio drivers give Windows 11 the blues and Microsoft Installer borked following security update - The Register - November 20th, 2021
- Ubuntu desktop team teases 'proof of concept' systemd on Windows Subsystem for Linux - The Register - November 20th, 2021
- Netlify acquires OneGraph: One API to rule them all? - The Register - November 20th, 2021
- Boffins find way to use a standard smartphone to find hidden spy cams - The Register - November 20th, 2021
- Thousands of Firefox users accidentally commit login cookies on GitHub - The Register - November 20th, 2021
- America, when you're done hitting us with the ban hammer, see these on-prem Zoom vulns, says Positive - The Register - November 20th, 2021
- VMware pulls vSphere update that only made things worse - The Register - November 20th, 2021
- Everything but the catch: '90s pop act or a successful mission for Rocket Lab? - The Register - November 20th, 2021
- Ready, player anyone? China's gaming ban left cloud providers looking for someone to play with - The Register - November 20th, 2021
- Riverbed Technologies files for Chapter 11 bankruptcy protection following pandemic 'headwinds' - The Register - November 20th, 2021
- AWS adds Linux app streaming alongside Windows to 'greatly lower' cost - The Register - November 20th, 2021
- Korea gives Google and Apple another kick for requiring their own payment systems - The Register - November 20th, 2021
- Citrix initiates 'Restructuring Program' jobs and facilities to go - The Register - November 20th, 2021
- MediaTek's flagship 5G chip for top-of-the-line Android smartphones is coming right up - The Register - November 20th, 2021
- Is mass cloud adoption going to last forever, or is it just a phase? - ITProPortal - November 20th, 2021
- 'We are not people to Mark Zuckerberg, we are the product' rages Ohio's Attorney General in Facebook lawsuit - The Register - November 20th, 2021
- The Rust Foundation gets ready to Rumbul (we're sure new CEO has never, ever heard that joke before) - The Register - November 20th, 2021
- Sage Sessions X3 kicks off in Orlando with focus on empowering customers and partners to thrive - Yahoo Finance - November 15th, 2021
- Telenor taps Google Clouds AI and analytics expertise to target a bigger slice of the digital transformation market - TelecomTV - November 15th, 2021
- New Apprenticeship Hosting Webinar As Part of National Apprenticeship Week To Help Address Tech Talent Gap - Yahoo Finance - November 15th, 2021
- Cybersecurity and OWASP in an Increasingly Digital World - tripwire.com - November 15th, 2021
- Successful CEO Guru Releases New Spin on Business Leadership and Audios of His Entrepreneur How-To Guide and Savvy Disruptive Tech Prediction Books -... - November 15th, 2021
- Domopalooza Returns to Salt Lake City Focusing on Future of Business and Data - Business Wire - November 15th, 2021
- During this pre-Black Friday sale, get an additional 15% off domain names and lifetime web hosting deals - ZDNet - November 8th, 2021
- Valeo Networks Acquires On Time Tech, Further Accelerating National Growth Strategy - PRNewswire - November 8th, 2021
- Huobi is migrating its spot trading business from Seychelles to Gibraltar - The Block Crypto - November 8th, 2021
- Outlook on the Cloud Hosting Service Market to 2026 by Application, End-user and Geography - Northwest Diamond Notes - November 8th, 2021
- Overview of the Different Types of Web Hosting - E/The Environmental Magazine - November 8th, 2021
- Microsoft bags major win over Amazon in cloud battle - TechRadar - November 8th, 2021
- 6 web hosting and domain deals on sale - Mashable - November 8th, 2021
- Managed Hybrid Cloud Hosting Market to Witness Rapid Growth by 2028 | Amazon Web Services (AWS), Microsoft, Tata Communications The Host - The Host - November 8th, 2021
- QuestDB snares $12M Series A with hosted version coming soon - TechCrunch - November 8th, 2021
- Using Open-Source Intelligence for Mergers and Acquisitions - Security Intelligence - November 8th, 2021
- Huawei might have to sell its server division following US sanctions - TechRadar - November 8th, 2021
- Bitdeer Group Showcases Diversity With New Filecoin Mining Option Press release Bitcoin News - Bitcoin News - November 8th, 2021
- Forget Windows 11 hardware requirements, Windows 365 is here to save the day - TechRadar - November 8th, 2021
- Teledata and Sudlows win New Design/Build Data Centre Project of the Year at Prestigious DCS Awards - Business Manchester - November 8th, 2021
- Linda Visnick: Observing the Business World with an Innovative Eye - Analytics Insight - November 8th, 2021
- Southeast Asia Web Hosting Services Market 2021 Size Strong Revenue and Competitive Outlook : Amazon Web Services, AT & T, Google, GoDaddy,... - November 8th, 2021
- Cloud computing in the public sector: a distant dream or the near future? - ComputerWeekly.com - November 1st, 2021
- NSA, CISA Weigh in on Shared Responsibility for Cloud Security in the 5G Era - Nextgov - November 1st, 2021
- "wasmCloud allows us to rethink the cloud as just a stop on the way" - JAXenter - November 1st, 2021
- Why should organizations look towards the power of hybrid cloud? - ITProPortal - November 1st, 2021
- How To Choose The Best Website Hosting Platform 2021? Film Daily - Film Daily - November 1st, 2021
- Firstsource Selects NICE WFM Cloud to Unlock the Power of Digital Transformation - Business Wire - November 1st, 2021
- Bare Metal Cloud Service Market Overview and Forecast Report 2021-2026 | Amazon Web Services, Bigstep, Dell Technologies, IBM, CenturyLink, Oracle,... - November 1st, 2021
- The Rise of BGP Hijacking and Why You Need a Response Plan Immediately - Entrepreneur - November 1st, 2021
- Debunking SASE myths: How it has helped productivity - TechRadar - November 1st, 2021
- COVIDSafe total cost was AU$9.2 million to October 4 with AU$2.8 million on hosting - ZDNet - November 1st, 2021
- IT Infrastructure Services Market Is Booming Worldwide | HCL, IBM, Verizon Communications Inc., Accenture, HPE and more The Host - The Host - November 1st, 2021