Nobelium, the threat actor behind the 2020 attack on SolarWinds, has reared its ugly head, and compromised at least three Microsoft customers under a new round of attacks using password spraying and brute force.
According to a Microsoft Threat Intelligence Center post, the company is tracking new activity by Nobelium, including the methods and tactics it uses.
Although this recent activity was unsuccessful for the most part, and the attempted compromises of the majority of targets were unsuccessful, Microsoft said it is aware of three compromised entities to date.
“All customers that were compromised or targeted are being contacted through our nation-state notification process,” the company said.
As part of its investigation, the software giant discovered information-stealing malware on one of its customer service agent’s computers. The basic account information gathered was then used to carry out targeted attacks against a variety of organisations, as part of a greater campaign.
“We responded quickly, removed the access and secured the device. The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our zero trust ‘least privileged access’ approach to customer information,” said Microsoft. “We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.”
The activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organisations and think tanks, as well as financial services.
This type of activity is far from new, and Microsoft said it recommends taking the usual security precautions, including enabling multi-factor authentication to protect their environments from this attack and other attacks of a similar nature.
Cyber security hygiene
Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, said the exposed hacking campaign brings compelling evidence that the overall cyber security hygiene is deficient.
“For instance, password spraying and credential stuffing attacks are preventable by enabling MFA, restricting access to the accounts from specific networks or at least countries, and can be easily spotted by anomaly detection systems,” he explained.
In addition, Kolochenko says a properly implemented dark Web monitoring process should help alert companies quickly about stolen credentials that might need to be decommissioned as a matter of urgency. “These are the very basics of information security.”
According to him, phishing is another common phenomenon that can be successfully mitigated by ongoing security awareness and training programs for employees. “When security training is combined with continuous monitoring and threat detection systems, designed to sandbox untrusted emails or hyperlinks, phishing efficiency is zero even when an employee makes a mistake.”
The bottom line: organisations must invest in cyber security baselines and implement a consistent information security strategy. “Otherwise, even technically unsophisticated attacks will continue their surge,” Kolochenko ends.