Microsoft says the same Russian hacking group behind the compromise of the SolarWinds Orion platform is targeting IT service providers and cloud technology resellers to leverage their privileged access to end customer networks.
In a series of blogs, Microsoft says the threat actor it calls Nobelium is targeting cloud service providers, managed service providers and other IT services organizations that have administrative privileges to customer networks and has been doing so for at least five months.
The company has been tracking this activity since May, and has notified more than 140 resellers and technology providers that have been targeted. Of those targets, as many as 14 have been successfully compromised.
According to Microsoft, the attacks targeting IT service providers are part of a larger overall campaign between July 1 and Oct. 19 that includes more than 600 targets and nearly 23,000 individual attacks, with success rates in the low single digits.
“By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years,” said Tom Burt, corporate vice president of customer security and trust, in a Microsoft blog post.
Along with the SolarWinds compromise and other attacks against the IT supply chain, this activity suggests the Russian nation-state actor is “train to gain long-term, systematic access to a variety of points in the technology supply chain” with the goal of spying on targets of interest, Burt wrote.
According to Microsoft, the threat actor isn’t leveraging software vulnerabilities, but is instead using common techniques like phishing and password spraying to steal credentials and gain privileged access to appear as a legitimate service provider.
By compromising accounts at the service provider level, a threat actor can take advantage of several potential access vectors, including delegated administrative privileges and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access, the Microsoft Threat Intelligence Center said in a blog.
In one case, Nobelium chained together artifacts and access across four separate providers to reach their end target, compromising service providers that had both remote and on-premises access to a customer’s network.
For service providers, Microsoft released guidance that we covered on our sister site Commercial Integrator, but the company also provided recommendations for downstream customers, including:
- Review, audit and minimize access privileges and delegated permissions. Microsoft recommends that organizations take a least-privilege approach and audit partner relationships to minimize any unnecessary permissions between the organization and service providers. That includes removing access for any partner relationships that look unfamiliar or haven’t been audited.
- Ensure multifactor authentication is enabled and enforce conditional access policies. Since these attacks rely on credential theft, multifactor authentication is the best baseline security tool to protect against threats like this, according to Microsoft. Organizations are also urged to deploy and configure conditional access policies in Azure Active Directory.
- Review and audit logs and configurations. Microsoft advises customers to review and audit Azure sign-ins and configuration changes via the Azure AD sign in logs, Azure AD audit logs and the Microsoft 365 compliance center. Organizations can also see a filtered view of sign-ins by partner in the sign-in logs in the Azure AD admin portal.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!