Microsoft has issued a warning stating that NOBELIUM, the criminal, state-sponsored group behind the SolarWinds attack, has targeted at least 140 resellers and technology service providers in global IT supply chains. “The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access,” says Microsoft in a blog.
With the number of machine identities increasing at an ultrasound speed, Microsoft’s research is a warning bell for all organizations relying on vast and complex supply chains.
On October 24, Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust said in an advisory that the advanced persistent threat (APT) group NOBELIUM has now pivoted to software and cloud service resellers in order to "piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers."
“NOBELIUM has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” wrote Tom Burt.
According to Microsoft’s threat analysts, Nobelium has been trying to compromise cloud service providers, managed service providers, and other IT services organizations in the US and Europe, to ultimately target government organizations, think tanks, and companies these companies serve.
“These attacks are not the result of a product security vulnerability but rather a continuation of NOBELIUM’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts,” said Microsoft in another advisory. “By stealing credentials and compromising accounts at the service provider level, NOBELIUM can take advantage of several potential vectors.”
This well coordinated and implemented attack is part of a wider intelligence gathering effort in the context of an ongoing cyber warfare between Russia from one side, and the US and Europe from the other. Some call it a “cyber cold war”, a clear revival of the 80s Cold War, this time in the cyberspace. “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest to the Russian government,” wrote Tom Burt.
Microsoft has informed all impacted vendors and has also released technical guidance outlining how NOBELIUM attempts to move laterally across networks to reach downstream customers. These recommendations include enabling multi-factor authentication, checking activity logs, and removing delegated administrative privileges when no longer needed.
An important component of minimizing access privileges is to have a robust and automated machine identity management program in place. Machines—anything that is a non-human entity, including APIs, containers, cloud workloads and IoT connected devices—are increasing in volume and form the backbone of every business digital initiative. Once siloed within the premises of security teams, machine identity management is now an important ingredient of enerprisewide businesses risk management.
Weak management results in orphaned or unprotected machines identities which can be easily compromised or stolen by adversaries. Attackers and criminal groups, such as NOBELIUM, can leverage compromised machine identities—such as code signing keys—to gain privileged access to critical systems, maintain a strong foothold and pivot their malicious actions to disrupt operations and exfiltrate sensitive data. The consequences of compromised machine identities can be devastating, affecting not only the victim organization but also local communities, national economy and national security. This is why President Biden’s Executive Order focusses so much on both strong authentication and protection of supply chains.
Businesses can protect themselves against threat actors like NOBELIUM by implementing a robust machine identity management program. Solutions, such as Venafi CodeSign Protect, can help organizations protect the code signing machine identities which are being used to protect their software across the extended enterprise. As part of the Trust Protection Platform, CodeSign Protect powers enterprise solutions that give you the visibility, intelligence and automation to protect your software infrastructure.
If you wish to learn more, reach out to one of our experts. They will be glad to answer all your questions.