It’s a daily routine for the cybersecurity community to encounter new kinds of cyberthreats from old perpetrators. Recently, the Microsoft Threat Intelligence Center (MSTIC) confirmed a new threat activity from NOBELIUM, the Russian state-sponsored group, which was allegedly behind the SolarWinds hacks, the SUNBURST backdoor, GoldMax malware, and the TEARDROP malware campaigns.
The MSTIC stated that they observed password spray and brute-force attacks from the group targeting certain specific entities, including IT companies (57%), government organizations (20%), and a small percentage of think tanks, non-governmental organizations, and financial services. The attackers mostly targeted the U.S.-based organizations (45%), followed by the U.K. (10%), Germany and Canada.
Information Stealing Malware
Microsoft stated it also found information-stealing malware on a device belonging to one of its customer support representatives, who had access to the account information of some of its customers. The attackers could have possibly used customers’ compromised data in some of their high-profile attacks. While the investigation is still ongoing, Microsoft has notified all the affected customers and recommended them to take security precautions like two-factor authentication (2FA) or multi-factor authentication to protect their sensitive data from potential threats.
“We responded quickly, removed the access, and secured the device. The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust least privileged access approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure,” MSTIC said.
New Email-Based Attacks from NOBELIUM
Last month, the MSTIC discovered a large-scale malicious email campaign by the NOBELIUM threat group. The attackers misused the legitimate mass-mailing service, Constant Contact, to imitate as a U.S.-based firm and spread malicious URLs across a wide range of industries.
NOBELIUM email campaign leveraged spear-phishing emails, with malicious HTML attachments, to compromise the targeted systems. Once the victim downloads the attachment, a JavaScript within the HTML file automatically deploys itself and executes the Cobalt Strike Beacon on the compromised system. NOBELIUM reportedly targeted over 3,000 individual accounts across 150 organizations.
“Similar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several alterations to the accompanying HTML document based on the intended target. MSTIC also observed the actor experimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the actor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious Cobalt Strike Beacon DLL encoded within the RTF,” MSTIC added.
