Why companies should care about Nobelium

A new campaign by the Nobelium group, uncovered by the Microsoft Threat Intelligence Center (MSTIC), serves as a reminder to practitioners that malicious, Russia-related actors remain highly motivated to seek out new attack vectors as old ones are shut down.

At the end of June, Microsoft revealed that a customer service employee’s computer had been hacked. The intrusion eventually resulted in stolen customer data and targeted attacks, so far, on three organizations by using password spraying and brute force techniques against login servers.

The discovery came from the investigations Microsoft has been conducting into Nobelium, the group responsible for the attacks involving SolarWinds customers. According to Microsoft, affected or targeted customers have been alerted.

“The investigation is ongoing, but we have confirmed that our support agents are configured with the minimum set of permissions required as part of our Zero Trust approach to customer information. We are notifying all affected customers and helping them ensure their accounts remain secure,” Microsoft said in a statement.

It continues, “This type of activity is not new and we continue to recommend that everyone take security precautions, such as enabling multi-factor authentication to protect their environments from this and similar attacks. It reinforces the importance of security precautions best practices, such as zero-trust architecture and multifactor authentication, and their importance to everyone.”

According to Reuters, Microsoft revealed the attack publicly only after being asked about the notice sent to affected customers. A copy of the Microsoft notice to which Reuters had access during the second half of May states that the attacker belongs to the Nobelium group and could see billing information and what services customers were paying for, among other data.

Microsoft did not tell Reuters whether the customer service employee was an outsourcer or not. A spokesman said this incident is not part of Nobelium’s previous successful attack on Microsoft, through which attackers gained access to part of the company’s source code repository.

In the company’s view, the attack was part of a larger Nobelium campaign largely focused on IT companies and governments around the world. Almost half of the attempted attacks were against US-based organizations, around 10% in the UK and smaller numbers in Canada and Germany.

Microsoft has been talking a lot about security today, especially in relation to its upcoming Windows 11, as the company tries to make the case for requiring users to have specific hardware to upgrade.

Prevention

The American Cybersecurity and Infrastructure Security Agency (CISA) provides the following list of best practices to strengthen the security of organizations.

• Keep signatures and antivirus engines up to date.
• Keep operating system patches up to date.
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrator’s group unless necessary.
• Enforce a strong password policy and implement regular password changes.
• Be careful when opening email attachments, even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan and remove suspicious email attachments; make sure the scanned attachment is your “true file type” (i.e. the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Be careful when using removable media (e.g. USB sticks, external drives, CDs, etc.).
• Scan all software downloaded from the Internet before running it.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).