The companies thought they were done with the Russian cybercriminal group Nobelium, but Microsoft warned of a wave of attacks by the cybergang. This time around, resellers and service providers are screwed.
Well-known to SolarWinds and Microsoft, the Russian cybercriminal group Nobelium is back on the attack, campaigning against resellers and service providers. These attacks would have started in May according to the report compiled by Microsoft and would be based on well-known techniques, such as “password spraying”, which consists of testing a limited set of passwords on several online accounts and phishing, to steal legitimate credentials and gain privileged access.
Nobelium has attempted to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain, specifically resellers and other technology service providers who customize, deploy and manage cloud computing services and other technologies on behalf of their customers. “We believe that Nobelium ultimately hopes to leverage the direct access resellers can have to their customers’ IT systems and more easily pose as a company’s trusted technology partner to gain access to its downstream customers. said Tom Burt, corporate vice president of security and customer trust in a Microsoft blog post.
An increased increase in attacks
Since May, the Redmond firm has notified more than 140 resellers and technology service providers targeted by Nobelium. To date, 14 of these have been compromised according to the firm. These attacks are part of a larger wave of Nobelium activity this summer. Indeed between July 1 and October 19 of this year, 609 Microsoft customers were alerted to the fact that they had been attacked 22,868 times by Nobelium, with a single-digit success rate. In comparison, before July 1, 2021, the publisher had informed its customers of attacks from all state actors 20,500 times over the past three years.
Amit Yoran, current CEO of Tenable, and also the originator of the US-CERT program for monitoring and combating cyberattacks of the United States Department of Homeland Security, sees in this wave of attacks a failure in the chain of software supply. “Once again, we don’t see super-sophisticated, never-before-seen techniques behind a major cyberattack. These are the building blocks that continue to stumble organizations. What is relatively new over the past 12 months is the continued strategic focus on the software supply chain. This links directly to the supply chain security issues that SolarWinds has highlighted – just breaking one link in the chain brings down the entire perimeter.”
Russia is not at its first attempt
Russia has been trying for several years to gain systematic long-term access to various points in the technology supply chain and to establish a mechanism to monitor – now or in the future – targets of interest to the Russian government. . Microsoft is working with government agencies in the United States and Europe. Although such attacks by nation states, including Russia, are not likely to diminish but on the contrary to increase considerably in the years to come, the sharing of information between the industry and the government for several years has made it possible to better understand these attacks and those to come.
The former senior US administration official called these latest attacks “mundane, mundane operations that could have been avoided if cloud service providers had implemented basic cybersecurity practices.” We can do a lot, but the responsibility to implement simple cybersecurity practices to lock down their access, which is by extension ours, lies with the private sector.”
The major means deployed
In September 2020, the Redmond firm had deployed multi-factor authentication (MFA) to access the Partner Center and to use delegated administration privilege (DAP) to manage a customer environment. Lately, a program has even been launched to provide two years of an Azure Active Directory Premium plan for free which provides extended access to additional premium features to strengthen security controls.
Microsoft threat protection and security operations tools, such as Microsoft Cloud App Security (MCAS), M365 Defender, Azure Defender, and Azure Sentinel, have added detections to help organizations identify and respond to these attacks . Other resources are available to companies, including technical advice that can help organizations protect themselves against the latest Nobelium activities and advice for partners. Going forward, the firm wants to make it easier for service providers of all sizes to access its most advanced services for managing secure connection solutions, identity and access management, free or at low cost.