Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Nobelium. Show all posts

Nobelium Hacking Group Targets French Organisations

 

According to the French national cyber-security agency ANSSI, the Russian-backed Nobelium hacker group responsible for last year's SolarWinds hack has now been targeting French firms since February 2021. 

Whereas the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) has not identified how Nobelium gained access to email accounts belonging to French organizations, it has stated that the hackers exploited them to send hostile emails to international entities.

In turn, French government organizations were targeted by fraudulent emails sent from servers belonging to foreign firms, which were thought to be infiltrated by the very same threat actor. Nobelium's infrastructure for cyberattacks on French entities was primarily built utilizing virtual private servers (VPS) from several hosting companies (favoring servers from OVH and located close to the targeted countries). 

"Overlaps have been identified in the tactics, techniques, and procedures (TTP) between the phishing campaigns monitored by ANSSI and the SOLARWINDS supply chain attack in 2020," ANSSI explained in a report. 

ANSSI advises limiting the processing of email attachments to prohibit harmful files provided in phishing efforts to fight against this hacker group's attacks. 

The French cyber-security agency additionally urges at-risk enterprises to use its Active Directory security hardening guidance to improve Active Directory security (and AD servers in particular). 

Nobelium, the hacker squad responsible for last year's SolarWinds supply-chain attack, which resulted in the compromise of various US federal agencies, is the cyber department of the Russian Foreign Intelligence Service (SVR), also known as APT29, The Dukes, or Cozy Bear. 

In April, the US government charged the SVR section of organizing the "broad-scope cyber-espionage campaign" that targeted SolarWinds. 

Based on strategies identified in events beginning in 2018, cybersecurity firm Volexity also attributed the assaults to the same threat actor. 

The Microsoft Threat Intelligence Center (MSTIC) revealed information in May on a Nobelium phishing effort that targeted government agencies from 24 countries. 

Nobelium is still targeting the worldwide IT supply chain, according to Microsoft, having hit 140 managed service providers (MSPs) and cloud service providers and compromised at least 14 since May 2021. 

Nobelium also attacked Active Directory Federation Services (AD FS) servers, seeking to infiltrate governments, think tanks, and private companies in the United States and Europe with the use of FoggyWeb, a new inactive and highly targeted backdoor. 

In October, Microsoft disclosed that Nobelium was perhaps the most prominent Russian hacking organization throughout July 2020 and June 2021, orchestrating the attacks that were behind 92 % of the notifications Microsoft sent to customers about Russia-based threat activity. 

Mandiant too linked the hacking organization to attempts to compromise government and enterprise networks throughout the world by targeting their MSPs with a new backdoor codenamed Ceeloader, which is designed to deliver more malware and capture sensitive information of political importance to Russia.

Chipotle's Email Marketing Account Compromised to Spread Malware

 

In mid-July, a new phishing attack was detected that used a compromised mailing service account. In the four days between July 13, 2021, and July 16, 2021, the anti-phishing company uncovered 121 phishing emails in this campaign. 

In May 2021, Nobelium (suspected of being behind the SolarWinds attack) tried a similar phishing method. Microsoft reported in May on a Nobelium campaign in which fraudulent emails were delivered to 3,000 accounts across 150 companies in 24 countries. All of the fraudulent emails were sent by Constant Contact mailing service, using the hacked account of the US Agency for International Development (USAID). 

Inky, the anti-phishing firm identified the new campaign, and the amount is likely to be a small fraction of the overall number of emails sent. Inky states in its study that it is examining if the current campaign was initiated by the same threat actor or by copycat criminals using the same approach as Nobelium. 

The method comprises of hacking into a legitimate mail service user's account. The account used in the most recent instance belonged to Chipotle, a fast-food chain, and the mail provider used was Mailgun. Because the emails look authentic from high-reputation sources, this approach has a high success rate. 

Since they come from a high-reputation IP address (Mailgun: 166.78.68.204) and pass SPF and DKIM authentication, the emails clear various automated phish detection systems. 

Two were vishing attacks (phony voicemail alerts with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft, out of 121 phishing emails discovered. Inky does not specify what malware was used in the vishing attacks, nor does it mention the firms which were phished. 

A mail.chipotle[.]com link in the 14 USAA bank impersonations was linked to a fake and fraudulent USAA Bank credential harvesting site. The credential harvesting site is a convincing copy of the legitimate bank site, along with a flawless logo of USAA logo. 

The researchers commented, “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born.” 

The majority of phishing emails masquerade to be from Microsoft. This is predictable, given that nearly everyone has a Microsoft account, and almost all store a wealth of information (such as other logins, trade secrets, financial details, and more). 

In the sample presented by Inky, the email is sent by ‘Microsoft 365 Message Center'. The subject reads, “You have (7) clustered/undelivered emails 16 July 2021,” This should not mislead an informed user who wonders why Microsoft is sending emails through a fast-food chain, but it may deceive automated detection systems that depend largely on the sender reputations. 

The email's body is a classic fraud trap. Seven emails from the target have been held up due to storage difficulties, but they are now ready for collection (the curiosity trigger). Ignoring the notification may result in the account being disabled (the fear trigger). Then there's a button that says "Release messages to the inbox." The user is sent to a credential harvesting fake Microsoft login page when they click this button. 

The difference between the sender's name (in this case, Microsoft, USAA, and VM Caller ID) and the actual email sender (in this case, postmaster[@]chipotle[.]com) is the key to identifying this sort of phishing email. The former is unlikely to send emails using the latter. However, on the other hand, secure email gateways frequently rely on verifying simply whether the sending domain is authentic and that the email is coming from an approved range of IP addresses.

Microsoft said an Attacker had Won Access to its Customer-Service Agents

 

On Friday, Microsoft revealed that an attacker gained access to one of its customer-service agents and then used the data to begin hacking attempts against customers. The company claimed it discovered the breach while responding to hacks by a group it blames for previous significant breaches at SolarWinds and Microsoft. 

Microsoft stated that the impacted consumers had been notified. According to a copy of one warning seen by Reuters, the attacker belonged to the Microsoft-designated Nobelium group and had access in the second half of May. "A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions," according to the warning. The US government has officially blamed the Russian government for the earlier assaults, which it denies. 

Microsoft claimed it had discovered a breach of its own agent, who it said had limited powers, after commenting on a larger phishing attack it said had affected a small number of businesses. Among other things, the agent might access billing contact information and the services that consumers pay for. "The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign," Microsoft said.

Microsoft advised concerned consumers to be cautious when communicating with their billing contacts and to consider changing their usernames and email addresses, as well as preventing users from logging in with outdated usernames. Three entities have been compromised in the phishing attempt, according to Microsoft. It was unclear whether any of those whose data was viewed through the support agent were among those whose data was viewed through the broader campaign, or if the agent had been duped by the broader campaign. 

Nobelium's recent breach, according to a spokeswoman, was not part of the threat actor's prior successful attempt on Microsoft, in which it stole some source code. In the SolarWinds hack, the organization changed code at the company to get access to SolarWinds clients, which included nine federal agencies in the United States. 

According to the Department of Homeland Security, the attackers took advantage of flaws in the way Microsoft programmes were configured at SolarWinds customers and others. Microsoft eventually revealed that the hackers had hacked into its own employee accounts and taken software instructions that regulate how the company verifies user identities.

Russian Hacking Group Nobelium Attacks 150 Organizations, Hacks Mails

Nobelium, a Russian hacking group that was responsible for the 2020 SolarWinds cyberattacks, is back in the game, however, now, they've used Constant Contact, a cloud marketing service in a phishing attack that resulted in a hack of 3,000 email accounts throughout 150 organizations. Microsoft disclosed the latest attack in a blog post titled "Another Nobelium Cyberattack" which alarmed that the group aims to hack into trusted technology providers and attack their customers. 

This time, Nobelium didn't use the SolarWinds network monitoring tool for the attack but gained access to the Constant Contact Account of USAID (United States Agency for International Development). Tom Burt, Microsoft’s corporate vice president of customer security and trust, “using the legitimate mass mailing service Constant Contact, Nobelium attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.” 

After hacking the Constant Contact Account email service via a USAID account, Nobelium distributed authentic-looking phishing emails containing a link, which upon opening, attached a malicious file "NativeZone" which is used to distribute backdoor. The backdoor could allow multiple activities like data stealing and corrupting other computer networks. Constant Contact Account said that it was aware of an account breach of one of its customers. It was an isolated incident, and the agency has deactivated all the affected accounts while working with law enforcement agencies. It says that most of the attacks targetting the customers were blocked automatically by Windows Defender, which also blocked the malware used in the attack. 

"We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC). team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work," said Burt.