A set of recent attacks have been attributed to Nobelium, the same nation-state actor behind the SolarWinds attack in 2020.
The attacks began in May, with Microsoft notifying more than 140 resellers and service providers that were targeted by Nobelium (14 estimated to be compromised), and 609 customers that were attacked over 22,000 times.
- Both target resellers or managed service providers (MSPs) that customize, deploy and manage IT or cloud services on behalf of their customers
- The attacks leverage the direct access resellers/MSPs may have to customer IT systems
To protect against observed attack tactics of Nobelium, MSPs should strengthen their preventative and defensive security posture by putting a few basic security measures in place, including using multi-factor authentication, applying the principles of least privilege, and implementing a detection and response solution that can help them identify early indicators of an attack in progress.
The Attack Methods of Choice: Password Spraying, Phishing & Privileged Accounts
A key difference in these latest attacks is the type of methods used against victim organizations and service providers. Instead of exploiting a flaw in the remote management and monitoring (RMM) software, as was seen in the Kaseya ransomware attack against MSPs, Nobelium has been reported to use password spraying and phishing to steal credentials and access systems.
In Microsoft’s guidance for MSPs and cloud service providers on handling the recent attacks, it also notes that privileged accounts are being targeted, in particular:
Microsoft has observed Nobelium targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted technical relationships to gain access to downstream customers and enable further attacks or access targeted systems. – Microsoft Partner Network team
After stealing credentials and compromising accounts at the service provider level, Nobelium then leverages privileged access (delegated administrative privileges – DAP) to further downstream attacks through externally-facing VPNs or solutions that enable network access for providers.
Prevention: Multi-Factor Authentication; Least Privilege
These types of identity-based attacks aren’t new, but they still tend to work, as many service providers fail to put into place basic security measures that can deter the success of these attacks:
- Multi-Factor Authentication (MFA) – Implement this on everything that you log into, especially any critical applications that allow access to your customers or customer data. It can go a long way to stop an attacker from leveraging a single password (stolen or brute-forced via password spraying or phishing) to gain access to your entire customer base. Microsoft has required its resellers to enable MFA to access their cloud portals and underlying services.
- Least Privilege – Further reduce your overall attack surface by keeping track of user privileges and limit them to only what they need access to in order to complete their job duties. Reduce the scope of your risk by allowing fewer users access to customer-related systems and accounts, or limit to an as-needed basis.
Detect Early to Prevent Customer Compromise
In addition to taking preventative measures, detecting Nobelium’s noted attack methods in your environment early enough can enable your IT team to quickly respond and contain/block the threat before it results in customer compromise.
Identifying the following attacker behaviors can help you focus on real threats and reduce false positives:
Password Spraying. If protected by only a single factor, the odds of an attacker successfully brute-forcing their way into your systems using this method are high. Blumira identifies and notifies you of any password spraying attempts seen against your accounts, including domain controllers, which indicates an attacker is trying to use methodical methods to access your environment while avoiding detections or lockout protections.
Privileged User Account Changes. Attackers may add users to highly privileged groups, or enable privileged user accounts to gain access to more resources and gain persistence; also known as the different techniques an attacker may use to maintain their foothold on your systems (despite restarts, changed credentials or other interruptions that could cut off their access). Blumira detects privileged account activity that could be suspicious so you can investigate further.
Anomalous MFA Login Activity. Monitoring your MFA applications for unusual activity can help you detect potential attacker behavior early. For example, Blumira detects and notifies your IT team of MFA account lockouts, attempted logins from outside of the U.S., unfeasible or geo-impossible logins by the same user across different locations within a short period of time, and much more.
This is especially key to monitor as Microsoft has noted that “Nobelium has been observed authenticating to accounts from anomalous locations that might trigger impossible travel analytics or fail to pass deployed conditional access policies.”
Credential-Stealing Activity. As noted above, Nobelium may attempt to steal credentials to gain access and move around an environment laterally. Blumira detects any credential-stealing activity and alerts you to the IP address and device it originates from, such as behavior that matches known hacking tools used to elevate privileges on a targeted host (e.g, Mimikatz pass-the-hash).
Azure AD & Microsoft 365 Login Activity. Since this attack is also targeting cloud service providers, Microsoft has advised partners to review and audit Azure AD logins and configuration changes, as well as your existing log availability and retention strategy for cloud-based resources like Microsoft 365. Blumira tracks login attacks against Azure, as well as the creation or modification of a Microsoft 365 group, when a user clicks a malicious URL, unusual administrative activity, emails reported as malware or phishing, and more to keep you aware of ongoing cloud security events.
This is critical to monitor and detect in a timely manner, as Microsoft has said that “Nobelium has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications…”
See additional resources for logging this type of activity, including:
- Documentation for how to quickly and easily set up Blumira’s platform with third-party integrations to start collecting logs, detecting threats and how to respond: Windows Server, Azure AD, Microsoft 365, Duo Security, Okta
- Microsoft security use cases to learn what we integrate with, how we help with advanced Windows logging and more
- Guidance for partners on specific steps they can take to protect and detect Nobelium-related attacks, from Microsoft
Blumira’s cloud SIEM and security operations team can help MSPs protect themselves and their customers against the many attack methods of Nobelium and other threat actors. We provide:
- Easy-to-deploy and affordable platform, designed to be set up by your existing team in hours and suited to SMB needs
- A single centralized dashboard with multi-tenancy to make management simple for MSPs with multiple clients
- Pre-built detections based on attacker behavior to help reduce alert fatigue, with automated blocking and playbooks for every finding to guide you through response
- A responsive security operations team you can reach out to for expertise and ongoing support to help you continuously improve your security coverage