The group of hackers responsible for the SolarWinds software supply chain attack have continued to seek out ways of indirectly gaining access to enterprise networks by targeting IT and cloud services providers that have admin rights on their customers’ systems through virtue of their business relationship.
In a new report this week, Microsoft warns that since May, the group known as Nobelium has targeted over 140 cloud service resellers and technology providers and has succeeded to compromise as many as 14. Nobelium, also known as APT29 or Cozy Bear, is considered the hacking arm of Russia’s foreign intelligence service, the SVR.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest to the Russian government,” Tom Burt, corporate vice president for Customer Security & Trust at Microsoft, said in a blog post.
Compromise one to compromise many in the supply chain
Supply chain attacks can come in many forms. They can involve Trojanized software updates like in the SolarWinds, CCleaner (Winnti), NetSarang (ShadowPad) or M.E.Doc (NotPetya) incidents or can involve the abuse of privileged access granted to external contractors, business partners, or IT services providers. The 2013 credit card breach at Target traced back to the compromised credentials of an HVAC subcontractor. In the past several years, many managed services providers (MSPs) around the world were targeted by ransomware groups to abuse their access to corporate networks.
While security experts have long warned about supply chain risks, enterprises have lagged behind putting the necessary controls and monitoring in place to detect them. Part of why such attacks can be a big blindspot is because defending against them requires a combination of technologies, including up-to-date IT asset and software inventories, logs analysis, behavior monitoring, network traffic and credential use, implementing principles of least privilege for accounts and software, multi-factor authentication and more. It’s not as easy as patching a vulnerability or deploying endpoint malware detection.
In fact, most of the Nobelium attacks that Microsoft has seen do not exploit any vulnerability. Instead, the group uses well-known techniques like spear phishing, access token theft, unprotected API abuse, and password spraying (i.e., trying common passwords against a list of usernames present in the system). In fact, one successful supply chain attack can collect credentials for additional supply chain attacks.
In one case, the Microsoft researchers traced a Nobelium attack through four distinct providers before reaching a downstream customer. The group gained access to a cloud services provider and launched a spear-phishing attack against an MSP. With the credentials collected from the MSP they jumped to a different cloud service provider where they exploited an AD Azure trust relationship to access an IT provider and finally jump to the end victim’s network.
“By stealing credentials and compromising accounts at the service provider level, Nobelium can take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access,” the researchers warned in an advisory.
The hackers are very adept at researching and understanding the business and access relationships between various services providers, subscription resellers, and their customers or partners. The downstream organizations that eventually get compromised are carefully selected based on their value to intelligence collection efforts.
“Microsoft assesses that organizations, such as cloud service providers and other technology organizations who manage services on behalf of downstream customers, will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures,” the company said.
Nobelium behaviors and characteristics
According to the company, the following behaviors and characteristics are common to Nobelium intrusions:
- Nobelium leverages “anonymous” infrastructure, which may include low-reputation proxy services, cloud hosting services, and TOR, to authenticate to victims.
- Nobelium has been observed leveraging scripted capabilities, including but not limited to RoadTools or AADInternals, to conduct enumeration of Azure AD, which can result in authentication with user agents of scripting environments.
- Nobelium has been observed authenticating to accounts from anomalous locations that might trigger impossible travel analytics or fail to pass deployed conditional access policies.
- Nobelium has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications, and creation of additional service principal credentials.
- In one incident, MSTIC observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premises.
- Nobelium has demonstrated an ongoing interest in targeting privileged users, including Global Administrators. Security of at-risk organizations is greatly enhanced by prioritizing events that are detected on privileged accounts.
- Nobelium is frequently observed conducting activities consistent with intelligence collection. Routinely monitoring various log sources for anomalies consistent with data exfiltration can serve as an early warning for compromise.
- Organizations previously targeted by Nobelium might experience recurring activity and would benefit from implementing proactive monitoring for new attacks.
How to mitigate Nobelium’s supply chain attacks
Microsoft released specific guidance for partners and resellers operating on its cloud platforms. The Microsoft Partner Center security requirements include using multifactor authentication and conditional access policies for cross-tenant access, as well as monitoring the Partner Center activity log for any suspicious user activities, high privileged user creations, and role assignments and so on.
More generally, all partners are advised to remove delegated administrative privileges that are no longer in use. End customers provide DAP to their services providers to manage their subscriptions on their behalf. Microsoft plans to introduce a tool that will help partners discover unused DAP connections as well as review how their active DAP connections are being used.
Downstream customers should also review, audit and minimize access privileges and delegated permissions they’ve granted to partners as well as review all admin accounts and the devices authorized for MFA use on those accounts.
“In addition to using the delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants,” Microsoft said. “We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well-governed and have least-privilege access in your tenant. Microsoft recommends against the use of ‘shared’ administrator accounts.”
Azure AD sign-ins and configuration changes should be reviewed periodically through the Azure AD sign-in logs, audit logs and the Microsoft 365 compliance center. Organizations should understand the logging options available to them on their cloud platforms, as well as ask the partners that manage such services for them about their own logging policies and use.
Microsoft has also published on GitHub detections and hunting queries for Azure Sentinel, as well as detections for Microsoft 365 Defender and Microsoft Cloud App Security that can be used to detect some of the behavior and techniques associated with supply chain attacks such as those performed by Nobelium.
Copyright © 2021 IDG Communications, Inc.
