Just over one year ago, researchers discovered that the update mechanism of SolarWinds’ Orion network management platform had been compromised by what are believed to be Russian-based groups, leading to the hack of some 100 organizations around the world out of the 18,000 that had downloaded an infected update. These victim firms included managed and communications service providers and their customers.
In a follow-up earlier this month, researchers at Mandiant said those groups — one of which is dubbed Nobelium by Microsoft — are still going strong.
The report says the group it calls UNC2652 (Nobelium) often targets diplomatic entities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a Cobalt Strike beacon launcher.
The other group, which it calls UNC3004, targets both government and business entities through gaining access to Cloud Solution Providers/Managed Service Providers to gain access to downstream customers.
Some of the tactics Mandiant has recently observed include:
- Compromise of multiple technology solutions, services, and reseller companies since 2020.
- Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
- Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
- Use of both residential IP proxy services and newly provisioned geolocated infrastructure to communicate with compromised victims.
- Use of novel TTPs to bypass security restrictions within environments including, but not limited to, the extraction of virtual machines to determine internal routing configurations.
- Use of a new bespoke downloader it calls CEELOADER.
- Abuse of multi-factor authentication leveraging “push” notifications on smartphones.
In most instances, says the report, post compromise activity included theft of data relevant to Russian interests. In some instances, the data appears to be obtained primarily to create new routes to access other victim environments.
“The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” the report warns.
Mandiant has found several cases where a threat actor compromised a service provider and used the privileged access and credentials belonging to these providers to compromise downstream customers.
In at least one instance, the threat actor identified and compromised a local virtual private network (VPN) account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim cloud service provider’s (CSP’s) environment, which ultimately led to the compromise of internal domain accounts.
Mandiant also identified a campaign where the threat actors gained access to the target organization’s Microsoft 365 environment using a stolen session token. An analysis of the workstations belonging to the end user revealed some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated. In some cases the user downloaded the malware after browsing to low reputation websites offering free, or “cracked”, software.
Mandiant believes with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. These tokens were used by the actor via public VPN providers to authenticate to the target’s Microsoft 365 environment.
Mandiant has also seen the threat actor executing multiple authentication attempts in rapid succession against accounts secured with multi-factor authentication (MFA). In these cases, the threat actor had a valid username and password combination. Many MFA providers allow users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.