Supply chain attacks 2021 - SolarWinds APT Targets Tech Resellers in Latest Supply-Chain CyberattacksOriginal article: https://threatpost.com/solarwinds-tech-resellers-supply-chain-cybe...
Click Here:- https://www.youtube.com/watch?v=RMq8BN_RBRc
The SolarWinds attackers – an advanced persistent threat (APT) known as Nobelium – have started a new wave of supply-chain intrusions, this time using the technology reseller/service provider community to attack their targets.
The activity has affected victims in North America and Europe thus far, researchers said, and the goal is espionage: Nobelium has been linked to the Russian government’s foreign intelligence service, known as SVR.
According to an analysis from Mandiant and Microsoft, Nobelium isn’t exploiting a vulnerability or, as was the case with SolarWinds, trojanizing legitimate code. Instead, it’s infiltrating reseller networks using tried-and-true tactics like credential-stuffing and phishing, as well as API abuse and token theft, in order to gather legitimate account credentials and privileged access to reseller networks.
From there, Nobelium attempts to pivot and land inside the networks of reseller customers downstream. Once inside a reseller network, it becomes much easier to impersonate the company and exploit the trusted relationship that reseller has with its customers, researchers pointed out.
“Mandiant has investigated multiple intrusions in 2021 where suspected Russian threat actors exploited supply-chain relationships between technology companies and their customers,” said Mandiant senior vice president and CTO Charles Carmakal, via email. “While the SolarWinds supply-chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government.”
Since May, Microsoft has observed Nobelium attacking more than 140 resellers and technology service providers, it said, with about 14 of them succumbing to compromise. However, in its writeup, issued Sunday, the software giant didn’t say how many downstream customers have been affected.
Mandiant’s Carmakal only said that the firm has seen successful intrusions into on-premises and cloud victim environments.
“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” Carmakal said. “Investigating these intrusions requires collaboration and information-sharing across multiple victim organizations, which is ch allenging due to privacy concerns and organizational sensitivities.”
The approach is also particularly effective for Nobelium because it allows the cyberattackers to avoid dealing with what could be strong defense measures at the end-user targets, he added.
“It shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyberdefenses, to smaller technology partners with less mature cyberdefenses,” he said.
If successful, an attack could allow for data theft, reconnaissance, compromise of customer systems and more.
“Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems,” according to Microsoft. “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”
To that point, Microsoft also said that this particular campaign is merely a subset of a larger wave of Nobelium activities, which points to significantly ramped-up efforts by Russia to establish a persistent anchor for its spy activities. For instance, in September it was seen installing the FoggyWeb custom backdoor on single sign-on servers.
“Between July 1 and Oct. 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” according to its writeup. “By comparison, prior to July 1, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”
Famously, the SolarWinds attack caused widespread damage and allowed Nobelium to gain access to several U.S. government agencies, by hijacking a legitimate software update from the platform to push malware to SolarWinds users.
No comments:
Post a Comment