Dec 8, 2021
68 Views
0 0

A year later, Nobelium-linked threat actors still target businesses, government

Written by

The two new threat actor entities associated with the attacks are UNC3004 and UNC2652, which Mandiant researchers say are affiliated with UNC2452, the SolarWinds threat actor that Microsoft dubbed Nobelium. 
Among the targets of this activity, there have been technology solutions and services providers, reseller companies, government entities, consulting organizations, and NGOs in North America and Europe, according to Mandiant researchers. 
“We have seen this threat actor ultimately target government entities, consulting organizations and NGOs in North America and Europe who directly have data of interest to the Russian government,” according to Doug Bienstock, manager of incident response at Mandiant. 
The threat actor used various techniques, including remote desktop protocol to pivot between systems that had limited internet access and execute numerous Windows commands, according to Mandiant. In one case, Windows Task Manager was used to dump process memory that belonged to LSASS. The threat actor also obtained the Azure AD Connect configuration, along with the associated AD service account and the key material used to encrypt service account credentials, according to Mandiant. 
The Active Directory Federation Services signing certificate and key material was obtained, which allowed the threat actor to forge a SAML token, which could be used to bypass 2FA and conditional access policies to reach Microsoft 365. 
In several campaigns the threat actor hosted second-stage payloads using compromised WordPress sites. This was not linked to the recent WordPress attack linked to GoDaddy, according to Bienstock.
This particular threat actor activity has been ongoing since 2020, and points to the targeted, low and slow nature commonly associated with nation state threat actors, according to Allie Mellen, analyst, security and risk at Forrester. 
“We are seeing an ongoing trend of threat actors targeting third-parties as an entryway into higher profile targets like governments and NGOs, as seen here,” Mellen said via email. “What is most important for organizations to take away from this is that, if they work with a high-profile target such as a government, they may become a target for nation-state attackers as they look for a way in.”
Mellen warned that for any high-profile target, third-party relationships are a potential gateway for an attack on your organization. 
Get the free daily newsletter read by industry experts
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
The agency is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources.
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.