Mandiant And Microsoft Identify New Activity From Russian Actor Nobelium, Experts Reactions

BACKGROUND:

Mandiant and Microsoft have identified a new wave of intrusion activity from the threat actor behind the SolarWinds supply chain attacks. While at a smaller scale than what we saw late last year, it’s a new shift – they’re using the reseller community to get to their desired targets. We’ve seen downstream victims in North America and Europe thus far, and the intrusion activity is ongoing.

Experts Comments

October 26, 2021
Alicia Townsend
Technology Evangelist
OneLogin

The reported low success rate of the 22,868 attacks detected actually makes this a bit of good news. However, there is no mention of how the majority of these attacks were actually prevented. Since the means of attack is through password spraying and phishing, we should be able to assume that these organizations have implemented some basic defences such as security training for their employees and requiring multi-factor authentication when users log on.

This only goes to reinforce the need for

.....Read More

The reported low success rate of the 22,868 attacks detected actually makes this a bit of good news. However, there is no mention of how the majority of these attacks were actually prevented. Since the means of attack is through password spraying and phishing, we should be able to assume that these organizations have implemented some basic defences such as security training for their employees and requiring multi-factor authentication when users log on.

This only goes to reinforce the need for organizations to remain ever vigilant. And with the holiday season upon us it will be ever more crucial for retail organizations in particular to ensure that their seasonal staff is properly trained and that they adhere to their security standards even through all the craziness that the holiday season will bring to their businesses.

  Read Less
October 26, 2021
Danny Lopez
CEO
Glasswall

IT supply chain companies must act now to avoid becoming the next SolarWinds. With Nobelium surveying global organisations for weak points, shoring up security infrastructure is absolutely critical. According to Microsoft researchers, the nation-state adversaries are not leveraging specific vulnerabilities at this time but are using old school credential stuffing and phishing as well as API abuse and token theft in order to gather legitimate account credentials. If successful, lateral movement

.....Read More

IT supply chain companies must act now to avoid becoming the next SolarWinds. With Nobelium surveying global organisations for weak points, shoring up security infrastructure is absolutely critical. According to Microsoft researchers, the nation-state adversaries are not leveraging specific vulnerabilities at this time but are using old school credential stuffing and phishing as well as API abuse and token theft in order to gather legitimate account credentials. If successful, lateral movement across the compromised organisation’s network would be the next stage, allowing for data theft, reconnaissance, compromise of customer systems and more. 

To prevent these attackers from gaining privileged access and wreaking havoc, organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.

Adversaries are also constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use or carefully crafted phishing emails with compromised documents within. 

 

Recent attacks and these new attempts reveal that the traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers like Nobelium having a free reign across a network once they are inside.

  Read Less
October 26, 2021
Charles Carmakal
SVP and CTO
Mandiant

Mandiant has investigated multiple intrusions in 2021 where suspected Russian threat actors exploited supply chain relationships between technology companies and their customers. While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the

.....Read More

Mandiant has investigated multiple intrusions in 2021 where suspected Russian threat actors exploited supply chain relationships between technology companies and their customers. While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government. This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor. This is particularly effective for the threat actor for two reasons: First, it shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses and second, investigating these intrusions requires collaboration and information sharing across multiple victim organizations, which is challenging due to privacy concerns and organizational sensitivities. We’ve observed this attack path used to obtain access to on-premises and cloud victim environments. Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organizations and other organizations that deal in matters of interest to Russia. The intrusion activity is ongoing and Mandiant is actively working with organizations that are impacted.

  Read Less
October 26, 2021
Tony Pepper
CEO
Egress

Ransomware has dominated the threat landscape in 2021, and the frequency of attacks is alarming. It's become a highly lucrative profit engine for cybercriminals, and any organisation, big or small, can become a target.

With ransomware incidents against UK businesses doubling in the space of a year, now is the time for organisations to ramp up their defences. Over 90% of malware, including ransomware, is delivered via email – so it’s vital that organisations are aware of the threat posed by

.....Read More

Ransomware has dominated the threat landscape in 2021, and the frequency of attacks is alarming. It's become a highly lucrative profit engine for cybercriminals, and any organisation, big or small, can become a target.

With ransomware incidents against UK businesses doubling in the space of a year, now is the time for organisations to ramp up their defences. Over 90% of malware, including ransomware, is delivered via email – so it’s vital that organisations are aware of the threat posed by phishing in facilitating these attacks. By implementing intelligent email technology, organisations can more effectively protect themselves from the threat of ransomware.

  Read Less
October 26, 2021
Sam Curry
Chief Security Officer
Cybereason
What Microsoft’s Nobelium report doesn’t include is the smoking gun pointing from Russia to its targets, but that could exist behind the scenes. The company is, however, suggesting that downstream compromises, which effectively leverage trusted software to begin attack runs, are enabled by upstream identity compromise. Should it be true, this would begin to clear the upstream methodology of Nobelium who attacked SolarWinds and Microsoft alike over the last two years. However, there’s not
.....Read More
What Microsoft’s Nobelium report doesn’t include is the smoking gun pointing from Russia to its targets, but that could exist behind the scenes. The company is, however, suggesting that downstream compromises, which effectively leverage trusted software to begin attack runs, are enabled by upstream identity compromise. Should it be true, this would begin to clear the upstream methodology of Nobelium who attacked SolarWinds and Microsoft alike over the last two years. However, there’s not enough in what they have made public to determine likelihood of accuracy in attributing this to Nobelium and Russia.

Most companies face terrible consequences for themselves and customers if compromised. However, like following a river delta upstream to a source river, the consequences of compromise downstream get worse. This means that those with the privilege of managing or servicing customers downstream have a responsibility that increases exponentially to do things right. Security isn’t just a “differentiator” for them, it’s a necessity. Managing customers is a privilege, not a right, and it can be lost if resellers don’t get this right now. Today, the supply chain is one of the weakest paths to compromise, inadequately defended in most organisations. However, there is always, by definition, a weakest link. Historically, this has taken the form of either human error via things like poor security controls and phishing or vulnerabilities or weaknesses in hardware and software configuration. Attackers develop methodologies to build exploits on weakest links or, more accurately, weakest paths; but simply blocking these avenues wouldn’t solve the problem. The best chance of success for defenders is to deploy a detection strategy and, specifically EDR or XDR technology that can spot the abuse of trusted software as the starting point of an attack.

  Read Less
October 26, 2021
Ilia Kolochenko
Founder and CEO
ImmuniWeb

Supply chain attacks will certainly continue their surge in 2022. Suppliers are the Achilles’ Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure. Compared to frontal attacks against the victims, silence attacks against third parties are generally faster, cheaper and less noisy. Moreover, suppliers may also have access to more data than the victims themselves, for example, by storing more data in backups than contractually

.....Read More

Supply chain attacks will certainly continue their surge in 2022. Suppliers are the Achilles’ Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure. Compared to frontal attacks against the victims, silence attacks against third parties are generally faster, cheaper and less noisy. Moreover, suppliers may also have access to more data than the victims themselves, for example, by storing more data in backups than contractually allowed or expected. Worse, some suppliers fail to detect sophisticated intrusions and the victims are never even notified about the incident.

Attribution of supply chain attacks, likewise, remains a highly complex issue, both technically and legally speaking. Cyber gangs actively cooperate with each other, outsourcing some specific tasks to their accomplices in different countries. Few cyber mercenaries will ever conduct research for new 0day vulnerabilities or create novel stealth trojans, for instance. Instead, they will just buy it from numerous groups specialized in the domain, saving time and money. Furthermore, some nation-state actors may hire several hacking groups and creatively split a task between them. Frequently, cyber gangs are purposely hired from countries like Russia or China to mislead the victim and confuse the investigators. Eventual attribution to a specific person, organization or even country is thus overly problematic. International collaboration and further expansion of such treaties as the Budapest Convention are essential to curb transnational cybercrime.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.