SolarWinds threat actor targets cloud services, Microsoft 365 mailboxes

Dive Brief:

The threat actor behind the SolarWinds attack is using new tactics to target sensitive data by impersonating mailbox owners in Microsoft 365 tenants, Mandiant research found. The threat actor is also infiltrating cloud service providers (CSPs) to gain access to their customers.
The threat actor, which Mandiant calls UNC2452 and Microsoft calls Nobelium, uses EWS impersonation (via the ApplicationImpersonation role) to essentially assume the identity of other account holders, according to Doug Bienstock, manager of incident response at Mandiant. The tactic allows the threat actor to open mailboxes, read emails, send messages in an account holder's name, and set out-of-office status updates.
The CSPs in these instances are vendors that resell Microsoft 365 subscriptions and manage subscriptions to an end customer, similar to managed service providers (MSPs), according to Bienstock. By compromising CSPs, the threat actor can go after several targets at the same time because the CSPs manage the Microsoft 365 environments of multiple end targets.

Dive Insight:

Researchers have observed the threat actor uses EWS impersonation to target organizations for mass email harvesting since at least early 2021, Bienstock said. The technique was first described in red teaming circles back in 2016.

But EWS impersonation is not always malicious. A legitimate use would be if an application checks a human resources system for scheduled time off and automatically sets out-of-office messages, Bienstock said.

"This feature must be explicitly granted to an account by an administrator in the organization," Bienstock told Cybersecurity Dive. "It is useful to a threat actor because with access to one single account, they can become any other user in the victim organization and access that user's email, attachments and contacts."

Because the tactic abuses a legitimate feature of Microsoft Exchange and Exchange Online, organizations should lock down the use of this feature and proactively monitor for signs of abuse.

Accounts granted privileges to use impersonation should have logins restricted to certain IP addresses the organization knows are trusted and actively used by the application, Bienstock said. Organizations should also create alerts for new accounts that are granted the privilege for impersonation.

The threat actor, linked to Russian state sponsors, unleashed a historic supply chain attack against SolarWinds from 2019 to late 2000, before being discovered. The SolarWinds attack involved the poisoning of that company's Orion monitoring platform.

Microsoft has faced intense scrutiny since the attack was uncovered in December 2000, as the threat actor was able to view some of the company's source code and the attack raised questions among researchers and customers about the vulnerability of Microsoft enterprise platforms.

Mandiant outlined efforts by the threat actor to access Microsoft 365 mailboxes by altering permissions in March.

Microsoft issued detailed research on the new attacks from Nobelium last week. Microsoft began observing the attacks in May and a total of 140 resellers and technology service providers have been targeted and 14 have been compromised, according to a blogpost by Tom Burt, corporate vice president of customer trust and security.

The attacks have been part of a larger wave by the threat actor — Microsoft has notified 609 customers between July 1 and Oct. 19 that they had been attacked 22,868 times by Nobelium, according to the blogpost. Microsoft also released technical guidance to help improve security.