In 2020, SolarWinds was hit with a highly sophisticated supply-chain attack orchestrated by a nation-state threat actor. The Texas-based IT management and monitoring platform company was compromised when attackers slipped a malicious code into Orion (a software program that monitors various components within the company’s network) while it was being updated. The threat actors then used that update to deploy a massive cyberattack against the United States.
Today, we know the attackers as NOBELIUM, a Russian hacking group. Recently, NOBELIUM was seen making their rounds again, but this time their focus has shifted to software and cloud service resellers. Let’s take an in-depth look into NOBELIUM’s tactics and their most recent exploits.
When it comes to highly sophisticated malware attacks, NOBELIUM takes the lead. The SolarWinds breach was just the beginning of persistent malware attacks from the threat actor. In August 2021, NOBELLIUM was seen trying to exploit a cluster of Exchange vulnerabilities known as ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). The vulnerability allows threat actors to deploy web shells to unpatched Exchange servers for later access. Despite available security patches, organizations are still vulnerable due to not updating their servers.
In recent months, NOBELIUM has pivoted to attacking software and cloud service resellers. Their latest attacks include 3,000 individual accounts across more than 150 organizations. With those attacks, they used an established pattern of unique infrastructure and tools for each of their targets, enhancing their ability to go undetected for an extended period of time.
Discovered by FireEye Inc., Nobelium used the SUNBURST backdoor, TEARDROP malware, and GoldMax malware to orchestrate their supply chain attack against SolarWinds. They also successfully breached nine United States government agencies (Department of Homeland Security, CISA, US Treasury, etc.) and 100 private companies using the same malware. After gaining access, NOBELIUM dug deeper into their victims’ networks by using a strategy that was simple, yet sophisticated. They used an initial attack that put them in the perfect position to compromise Microsoft 365 and Azure.
NOBELIUM studied Microsoft’s source code instructions for its Azure cloud programs related to identity and security, Intune management for mobile devices and applications, as well as it’s Exchange email programs. After some of the code was downloaded by SolarWinds’ customers, the threat actor had the freedom to hunt for security vulnerabilities, create copies with new flaws, and explore all the ways they could exploit customer installations. President and CEO of SolarWinds stated that there were an estimated 18,000 customers who downloaded the malicious code between March and June of 2020.
Additionally, NOBELIUM inserted software back doors for spying into network-management programs circulated by SolarWinds. The attackers also added new Azure identities, as well as greater rights to existing identities, and manipulated Microsoft programs to steal email. Two things needed to happen for the attack to work:
As a result of their success, NOBELIUM was able to infiltrate the Cybersecurity and Infrastructure Security Agency (CISA) – a government organization who is tasked with protecting federal computer networks from being attacked. This access gave NOBELIUM the ability to steal, alter, and destroy data. After being in the system, NOBELIUM removed all traces of their presence, making it difficult for investigators to prove who was behind the breach. Because NOBELIUM had the opportunity to roam the network undetected for nine months, it’s not clear whether they were simply reading emails or if they planted something destructive for use in the future.
After the SolarWind’s attack, chatter surrounding NOBELIUM died down. However, some researchers and analysts were continuing to keep a watchful eye on the threat actor despite their lack of activity - including Microsoft. In October 2021, Microsoft warned that NOBELIUM was once again attacking global IT supply-chains. This latest campaign was initially seen in May 2021 and there have already been 14 cases of compromise, with 140 companies being targeted.
While Microsoft estimated that the SolarWinds attack may have taken the efforts of up to 1,000 engineers, the latest attacks don’t appear to make use of specific vulnerabilities or security flaws. NOBELIUM appears to be relying on password spray, API abuse, phishing, and token theft to obtain credentials for accounts and privileged access to victims’ systems. Microsoft believes that NOBELIUM is using a piece of remote access malware called FoggyWeb with the objective of maintaining persistence on compromised Active Directory Federation Services servers (AD FS). This backdoor persistence was first observed in the wild in April 2021.
Image 1: New Access Across a Variety of Methods
Although the success of NOBELIUM’s recent attacks is in the low single digits, Microsoft has warned 609 customers of 22,868 attack attempts between July 1 and October 19, 2021. Overall nation-state attack attempts totaled 20,500, including a NOBELIUM phishing campaign that impersonated USAID – an international development and humanitarian agency. Microsoft believes that NOBELIUM’s recent activity is Russia’s way of gaining long-term, systematic access to a variety of areas within the technology supply chain, so they can determine a process for attacking targets of interest for the Russian government.
Since May 2021, NOBELIUM has targeted cloud service providers, managed service providers, and other IT services organizations within Europe and the United States. Microsoft reported that the group launched their recent campaign to exploit existing technical trust relationships between the provider organizations and the government, think tanks, and other companies they serve.
Image 2: FoggyWeb Backdoor
A passive and highly targeted backdoor, FoggyWeb is also capable of receiving malicious components from a command-and-control (C2) server and executes them on compromised servers. After compromising, Microsoft observed the threat actors dropping the following files:
Microsoft further observed NOBELIUM trying to exploit privileged accounts of service providers using FoggyWeb so they can move laterally in cloud environments and leverage trusted relationships, thus gaining access to downstream customers to further their attacks. After FoggyWeb is planted, NOBELIUM harvests credentials remotely and compromises the server. Once the server is compromised, the threat actor uses FoggyWeb to remotely exfiltrate the configuration database of the servers, decrypted token-signing certificate, and token-decryption certificate. NOBELIUM relies on this access to deepen infiltration with sophisticated malware tools. FoggyWeb ends up operating with administrator privileges.
Until now, NOBELIUM has directed their attacks towards certain industries: technology, think tanks, telecommunications, military, and IT. The group has been operating for more than 10 years and they have a number of successful attacks under their belt, including the 2016 breach of the Democratic National Committee.
So, how can a threat actor who keeps changing their tactics be stopped? The answer to that question is a bit more complicated than following a list of “do’s and don’ts”. Kevin Mandia, the CEO of cyber security company, FireEye, stated that though we have only seen evidence of attacks on the previously mentioned industries, NOBELIUM has other targets that are less obvious like healthcare and utilities.
"I think utilities might be on that list. I think health care might be on that list. And you don't necessarily want to be on the list of fair game for the most capable offense to target you." Kevin Mandia – NPR.org
In order for organizations to prevent a cyberattack as sophisticated as NOBELIUM’s from disrupting their business operations, it’s important to stay three steps ahead. Fortunately, Microsoft was able to catch NOBELIUM’s recent campaign in its early stages and they were able to share information that could help cloud service resellers, technology providers, and customers. Time is everything when trying to prevent an attack and cyber security insurance will allow your organization to stay ahead.
As a result of NOBELIUM’s new campaign, it’s important for organizations and administrators to have strict account security procedures and take further measures to keep environments safe. Avertium offers EDR and MDR services to help keep your organization safe.
Avertium also recommends the following for NOBELIUM:
Microsoft Recommends the following for FoggyWeb Malware:
Avertium Recommends the following for Sunburst:
Avertium Recommends the Following for ProxyShell:
Backdoor – A way to access a computer system or encrypted data that bypasses the systems customary security.
Command-and-Control (C2) – Systems used by attackers to communicate with compromised systems within a network.
Malware - A term used for viruses, worms, trojans, and other harmful computer programs. The programs are used by hackers to damage servers and networks for financial gain.
Password Spraying – A brute force attack where the attacker will brute force logins based on a list of usernames with default passwords on the application. Using one password against many different accounts.
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.