The same threat group behind the compromise of SolarWinds’ IT management software is now leveraging legitimate marketing email software and has compromised the account of USAID to send emails with malicious links to gain access to victim IT environments across a range of industry verticals, according to Microsoft.
The Redmond IT giant published a series of blog posts on the new attack method Thursday, saying the campaign has been observed and tracked by the company’s security professionals since January, but it recently escalated this week by accessing the Constant Contact account of USAID, an independent agency of the U.S. government that administers foreign aid and development assistance.
About a quarter of the organizations targeted are involved in international development, humanitarian and human rights works.
Microsoft maintains that most of the attacks against its customers were automatically blocked, and Windows Defender is blocking the specific malware used in the attack.
The company says the actors – which it called Nobelium – began using Constant Contact as part of their attacks on Tuesday, and the attack is still active. Around 3,000 individual accounts across more than 150 organizations were targeted, but automated systems blocked most of the emails and marked them as spam.
However, earlier emails may have been delivered, Microsoft notes.
In one example Microsoft provided, an email portends to be from USAID and claims former President Donald Trump published new documents on election fraud. If the user clicks the link, they are directed to the legitimate Constant Contract service, and then redirected to infrastructure controlled by the hacking group and a malicious ISO file is delivered to the system.
Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:
- A shortcut, such as lnk, that executes a custom Cobalt Strike Beacon loader
- A decoy document, such as ica-declass.pdf, that is displayed to the target
- A DLL, such as dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft
The end result when detonating the LNK file is the execution of “C:\Windows\system32\rundll32.exe Documents.dll,Open”.
When successful, Nobelium achieves persistent access to compromised systems and could then move laterally, exfiltrate data and deliver additional malware.
To mitigate, Microsoft recommends these following steps:
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure your accounts.
For Office 365 users, see multifactor authentication support.
For Consumer and Personal email accounts, see how to use two-step verification.
Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.
Read Microsoft’s security blog for indicators of compromise and other technical details.