Estimated reading time: 2 minutes
According to the Microsoft Threat Intelligence Center (MSTIC), nation-state actors have attempted to compromise downstream customers via cloud service providers (CSP), managed service providers (MSP), & other IT service providers. The IT major said on one of its blogs that from May 2021, the targeted activities have been observed against organizations based throughout Europe & the United States.
NOBELIUM is the same actor behind the SolarWinds compromise in 2020, & this new activity “shares the hallmarks of the actor’s compromise-one-to-compromise-many approach.” Microsoft has notified known victims of these activities.
These attacks, said Microsoft, were not the result of a product security vulnerability but rather a continuation of NOBELIUM’s use of a diverse & dynamic toolkit that included sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, & spear phishing to compromise user accounts & leverage the access of those accounts. These attacks have highlighted the need for administrators to adopt strict account security practices & take additional measures to secure their environments.
In the observed supply chain attacks, downstream customers of service providers & other organizations were also being targeted by NOBELIUM. In these provider/customer relationships, customers delegate administrative rights to the provider that enable the provider to manage the customer’s tenants as if they were an administrator within the customer’s organization. By stealing credentials & compromising accounts at the service provider level, NOBELIUM could take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), & then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access, Microsoft added.
Microsoft has prescribed certain remedial actions, which you can read about here.
