Dive Brief:
- One year after the SolarWinds attack was uncovered, Mandiant researchers say suspected Russian threat actors with links to Nobelium are targeting businesses, government agencies and NGOs, according to research released Monday. The threat actors are using a variety of tactics, including stolen credentials, and compromising cloud solution providers (CSPs) and managed service providers (MSPs).
- In one campaign, threat actors gained access to an organization's Microsoft 365 environment using a stolen session token, according to Mandiant. Some systems in the target organization were infected with an info-stealer malware called CRYPTBOT. The threat actors used public VPN providers to authenticate the session tokens and gain access to the Microsoft 365 environment.
- The threat actors in at least one case compromised a Microsoft Azure AD account within a CSP tenant. The account had an Admin on Behalf Of (AOBO) feature within Azure AD to provide access to Azure subscriptions inside the customer's tenants created through the CSP program, according to Mandiant. By leveraging CSP credentials and the AOBO feature, the threat actor gained privileged access to Azure subscriptions used to manage downstream customer systems, according to Mandiant.
Dive Insight:
The two new threat actor entities associated with the attacks are UNC3004 and UNC2652, which Mandiant researchers say are affiliated with UNC2452, the SolarWinds threat actor that Microsoft dubbed Nobelium.
Among the targets of this activity, there have been technology solutions and services providers, reseller companies, government entities, consulting organizations, and NGOs in North America and Europe, according to Mandiant researchers.
"We have seen this threat actor ultimately target government entities, consulting organizations and NGOs in North America and Europe who directly have data of interest to the Russian government," according to Doug Bienstock, manager of incident response at Mandiant.
The threat actor used various techniques, including remote desktop protocol to pivot between systems that had limited internet access and execute numerous Windows commands, according to Mandiant. In one case, Windows Task Manager was used to dump process memory that belonged to LSASS. The threat actor also obtained the Azure AD Connect configuration, along with the associated AD service account and the key material used to encrypt service account credentials, according to Mandiant.
The Active Directory Federation Services signing certificate and key material was obtained, which allowed the threat actor to forge a SAML token, which could be used to bypass 2FA and conditional access policies to reach Microsoft 365.
In several campaigns the threat actor hosted second-stage payloads using compromised WordPress sites. This was not linked to the recent WordPress attack linked to GoDaddy, according to Bienstock.
This particular threat actor activity has been ongoing since 2020, and points to the targeted, low and slow nature commonly associated with nation state threat actors, according to Allie Mellen, analyst, security and risk at Forrester.
"We are seeing an ongoing trend of threat actors targeting third-parties as an entryway into higher profile targets like governments and NGOs, as seen here," Mellen said via email. "What is most important for organizations to take away from this is that, if they work with a high-profile target such as a government, they may become a target for nation-state attackers as they look for a way in."
Mellen warned that for any high-profile target, third-party relationships are a potential gateway for an attack on your organization.
