The advanced persistent threat (APT) actor Nobelium (also known as Cozy Bear; APT29) that was responsible for the 2020 SolarWinds supply chain attack is attacking managed service providers (MSPs), cloud service providers (CSPs), and other IT service providers, based on the latest advisory from Microsoft.
Instead of executing attacks on a lot of companies and institutions, Nobelium is opting for a compromise-one-to-compromise-many strategy. This can be done since service providers are frequently provided administrative access to the networks of customers to enable them to deliver IT services. Nobelium is seeking to take advantage of that privileged access to execute attacks on downstream organizations and is executing attacks as of May 2021.
Nobelium utilizes a number of strategies to compromise the systems of service providers, such as token theft, phishing and spear-phishing attacks, malware, API abuse, supply chain attacks, and password spraying attacks on accounts utilizing often utilized passwords as well as passwords that were compromised in past data breaches.
As soon as access to service providers’ networks is obtained, Nobelium goes laterally in the cloud then utilizes the trusted access to carry out attacks on downstream organizations utilizing trusted channels for example externally facing VPNs or the special software tools employed by service providers to gain access to customers’ sites.
A few of the attacks carried out by Nobelium were extremely sophisticated and required chaining together artifacts and getting access to several service providers so as to attain their end target.
Microsoft Threat Intelligence Center (MSTIC) has created a number of instructions for companies and downstream businesses to assist with remediation and mitigation.
MSPs and CPSs that depend on elevated privileges to deliver services to their clients were told to confirm and keep track of compliance with Microsoft Partner Center security specifications, which consist of permitting multifactor authentication and implementing conditional access guidelines, using the Secure Application Model Framework, examining activity records and tracking user activities, and taking away assigned administrative privileges that are not used anymore.
All downstream companies that count on service providers having administrative access were instructed to evaluate, review, and lessen access privileges and assigned permissions, such as hardening and tracking all tenant administrator accounts and going over service provider permissions access from local and B2B accounts. They must additionally confirm MFA is enabled and conditional access guidelines are being implemented and routinely examine audit records and settings.
Microsoft has posted complete information on Nobelium’s tactics, techniques, and procedures (TTP) in its advisory to assist IT security teams to prevent, identify, investigate, and minimize attacks.