The Nobelium group, the group involved in the SolarWinds case, is replicating tactics from previous supply chain attacks - supply chain attacks - with new approaches. Such attacks have been occurring in the United States and Europe since May 2021. Between July 1 and October 19 of this year, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, and in comparison, before July 1, 2021, Microsoft informed customers of attacks by all APTs 20,500 times in the past three years.

The goal of the attacks is to gain access to downstream customers of various cloud service providers (CSP), managed service providers (MSP), and other IT service organizations that are granted administrative privileges or access by other organizations. Such activity has been observed in organizations based in the United States and across Europe since May 2021.

New type of attack

A recent Nobelium campaign against these organizations aimed to exploit the technical trust relationships that exist between provider companies, governments, and other client companies. According to Microsoft, in this type of attack, Nobelium targets privileged service provider accounts to move laterally in cloud environments, leveraging trusted relationships to gain access to downstream customers and enable other attacks or access targeted systems.

Such attacks are not aimed at exploiting security vulnerabilities in a product, but are part of the arsenal of techniques and tools used by the group, which includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage access to those accounts. These attacks highlighted the need for administrators to adopt strict account security practices and take additional steps to protect their environments.

In the attacks observed by Microsoft, Nobelium also targeted end customers, as they delegate administrative rights to the provider that allow the provider to manage the multiple applications in the customer's environment as if they were an administrator within the organization. By stealing credentials and compromising accounts at the service provider level, Nobelium can take advantage of several potential vectors, such as delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels such as VPNs or unique provider-client solutions that allow network access.

Post Exploitation Patterns

In the most recent campaign, the approach used is to compromise-one-to-compromise-many by exploiting the service providers' chain of trust to gain broad access to various customer services and applications for subsequent attacks. These administrative privileges are usually not audited for approved usage or disabled by a service provider or customer after usage ends, leaving them active until removed by administrators. If Nobelium has compromised the accounts linked to the administrative privileges through other credential theft attacks, this access gives actors such as Nobelium persistence for ongoing campaigns.

In one of the cases tracked during this campaign, the group was observed chaining artifacts and access through four different providers to reach their final target. The example below demonstrates the breadth of techniques the group uses to exploit and abuse trust relationships in order to achieve their goal.

It is believed that organizations, such as cloud service providers and other technology organizations that manage services on behalf of downstream customers, will be of continuing interest to threat actors and are at risk of being targeted through a variety of methods, from credential access to targeted social engineering through legitimate business processes and procedures.

Detection and investigation through queries - Threat Hunting

All Hunting Queries and detection means in Microsoft products, including Azure Sentinel, Microsoft 365 Defender, Microsoft Cloud Application, Security Azure Defender, can be accessed here.

Mitigation and remediation

The entire mitigation and remediation process for Nobelium group attacks recommended by Microsoft can be accessed at this link, but the general recommendations for the various service categories can be reviewed below:

- Ensure that multi-factor authentication (MFA) is in use and conditional access policies are enforced;
- Enable the Secure Application Model Framework - SAMF;
- Review and audit logs and settings;
- Remove the delegated administrative privilege (DAP) connection when not in use;
- Review, audit, and minimize delegated access privileges and permissions.

References

1. https://www.hackread.com/solarwinds-hackers-nobelium-hit-cloud-providers/
2. https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
3. https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/