On Friday, June 25, Microsoft revealed that a new set of attacks was carried out by Nobelium (APT 29), the same group attributed with the SolarWinds attacks last year. The group managed to use password sprays and brute-force attacks to access Microsoft customer accounts. As of right now, only three organizations are known to be breached and are currently being notified. It has also come to light that a staff member at Microsoft was also compromised and disclosed that an information stealer was found on the victim’s host machine. The malware was designed to collect information on a small number of customers from the staff member’s computer.
Analyst Notes
While news about sophisticated nation-state backed threat actors is disparate, it is quite often the case that even advanced attackers use simple tactics because they still work. Methods like password spraying and password brute-forcing have been well-documented over decades as effective (though crude) ways to access systems and accounts. Enabling auditing for Office 365 and taking advantage of Microsoft 365 Advanced Threat Protection can be one of the most effective means of detecting and tracking when an account is potentially compromised. Enabling and requiring Multi-Factor Authentication (MFA) to access all important accounts is an even better way of preventing threat actors from gaining access to begin with. Building detections for online accounts on top of endpoints is necessary as most business is no longer on-prem, and threat actors find great value in targeting cloud-based services to steal the sensitive information that is often found in email and collaboration services.
https://therecord.media/microsoft-says-solarwinds-hacking-group-has-breached-three-new-victims/
https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/
