Infosec leaders should watch for possible network compromises after Microsoft warned that at least 14 cloud service providers and resellers of technology products have been compromised since May by the Nobelium threat group, which, according to U.S. intelligence, is part of Russia’s foreign intelligence service.
Microsoft said these victim firms are part of more than 140 resellers and technology service providers it has notified in the last five months that they have been targeted by Nobelium.
In a blog this weekend Microsoft said Nobelium — blamed for the compromise of Solarwinds’ Orion update mechanism — has been attempting to replicate the tactics it used in past attacks by targeting organizations central to the global IT supply chain.
This time, Microsoft said, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. “We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to their customers’ IT systems to gain access to their downstream customers.”
Among its tactics: Modifying Azure Active Directory to enable long-term persistence and access to sensitive information.
These attacks have been a part of a larger wave of Nobelium activities this summer, Microsoft said. Between July 1 and October 19 it warned 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1st it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” says Microsoft.
These attacks are not the result of a product security vulnerability, Microsoft stressed, but a continuation of Nobelium’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.
“These attacks have highlighted the need for administrators to adopt strict account security practices and take additional measures to secure their environments,” Microsoft said.
Technical guidance released
In addition to the report, Microsoft released technical guidance for resellers, cloud providers and IT teams to blunt Nobelium attacks.
Resellers and cloud providers should verify and monitor compliance with Microsoft Partner Center security requirements, including the use of multifactor authentication to access the Partner Center and for cross-tenant access to customer tenants in Microsoft commercial clouds.
Infosec leaders in businesses and government departments should
1. Review, audit, and minimize access privileges and delegated permissions.
It is important to consider and implement a least-privilege approach, Microsoft said. That includes prioritizing a thorough review and audit of partner relationships to minimize any unnecessary permissions between an organization and its upstream providers. Remove access for any partner relationships that look unfamiliar or have not yet been audited.
2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies.
MFA is the best baseline security hygiene method to protect against threats. For those who use Microsoft 365 or Azure Active Directory, there’s detailed guidance here on setting up multifactor authentication in Microsoft 365, as well as the guidance on deploying and configuring conditional access policies in Azure Active Directory.
3. Review and audit logs and configurations for all products for adequacy and anomalies.
Nobelium attack characteristics
Microsoft also notes the following specific characteristics of attacks by Nobelium:
- It leverages “anonymous” infrastructure, which may include low reputation proxy services, cloud hosting services, and TOR, to authenticate to victims;
- It leverages scripted capabilities, including but not limited to RoadTools or AADInternals, to enumerate Azure AD, which can result in authentication with user agents of scripting environments;
- It has been seen authenticating to accounts from anomalous locations that might trigger impossible travel analytics or fail to pass deployed conditional access policies;
- It will modify Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications, creation of additional service principal credentials, and more. More information at https://aka.ms/nobelium.
- In one incident, Microsoft observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premise;
- It targets privileged users, including Global Administrators. Security of at-risk organizations is greatly enhanced by prioritizing events that are detected on privileged accounts;
- Nobelium frequently performs intelligence collection. Routinely monitoring various log sources for anomalies consistent with data exfiltration can serve as an early warning for compromise;
- Organizations previously targeted by Nobelium might experience recurring activity and would benefit from implementing proactive monitoring for new attacks.