Microsoft is warning other resellers and technology service providers about another attack from Nobelium, the hacking group responsible for the SolarWinds breach and several other high-profile attacks.
In the latest incident, the Russian-based organization has targeted at least 14 service providers with a focus on attacking software and cloud service resellers specifically. Nobelium is relying on spray-and-pray credential stuffing, phishing, API abuse, and token theft in attempts to gain account credentials and access to victims' systems.
Industry experts reacted to this latest news on Nobelium's malicious activities.
Saket Modi, CEO, Safe Security
“Today in a provider/customer relationship, customers delegate unrestricted administrative rights to the provider to allow seamless management of customers’ tenants. Most often, customers follow traditional and qualitative risk management assessments before onboarding a third party . Nobelium’s ongoing supply chain attacks show the importance of closing loopholes to trusted relationships that cause downstream impacts. Social engineering, cloud misconfigurations relating to unverified delegated administrative privileges, password sprays, API theft, supply chain attacks - are all threat actor techniques that businesses are actively monitoring, but in a siloed and disjointed fashion. NOBELIUM has been successful because organizations lack a single, enterprise-wide, and real-time cybersecurity view of what and where their vulnerabilities lie across people, technology, and third-party (supply chain).
To effectively manage third party security risks today, organizations need to go beyond a questionnaire and outside in approach only, and have a cohesive inside out, real-time risk analysis of third parties to get a better understanding of their risk posture and critical vulnerabilities.
Now more than ever, businesses need to adopt enterprise-wide proactive cybersecurity strategies through breach likelihood scores that can help them measure, manage and mitigate cyber risks through dynamic, prioritized, and actionable insights.”
Neil Jones, Cybersecurity Evangelist, Egnyte
“It's reassuring to see that Microsoft is proactively warning its resellers and technology service providers about the newest wave of cyber-attack attempts by Nobelium. This is especially important when we consider that the global supply chain is already under extreme pressure as major economies recover from the pandemic. Since the latest wave of attacks doesn't appear to prey upon specific vulnerabilities or security flaws, companies can safeguard themselves by deploying tried-and-true cyber-protection techniques, such as proven Multi-Factor Authentication (MFA), e-mail protection and suspicious login detection solutions. These tactics will go a long way in combating the credential stuffing, phishing and token theft tactics that have characterized the most recent wave of Nobelium attacks.”
Danny Lopez, CEO, Glasswall
“IT supply chain companies must act now to avoid becoming the next SolarWinds. With Nobelium surveying global organisations for weak points, shoring up security infrastructure is absolutely critical. According to Microsoft researchers, the nation-state adversaries are not leveraging specific vulnerabilities at this time but are using old school credential stuffing and phishing as well as API abuse and token theft in order to gather legitimate account credentials. If successful, lateral movement across the compromised organisation’s network would be the next stage, allowing for data theft, reconnaissance, compromise of customer systems and more.
To prevent these attackers from gaining privileged access and wreaking havoc, organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
Adversaries are also constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use or carefully crafted phishing emails with compromised documents within.
Recent attacks and these new attempts reveal that the traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers like Nobelium having a free reign across a network once they are inside.”