Microsoft says that they have discovered the new attacks explored by the Russian state-sponsored Nobelium hacking group, including a hacked Microsoft support agent’s computer that exposed customers’ subscription information.
Nobelium is one of Microsoft’s names for one state hacking group that tends to be operating out of Russia and is suspected to be affiliated with the Russian Foreign Intelligence Service (SVR) and hence responsible for the Solar-Winds supply-chain attacks. Nobelium’s recent campaign happened in May this year and almost 140 Companies were targeted and there were 14 confirmed cases of misuse and compromise.
A new blog post was published on Friday night, and Microsoft said that the hacking group has been organizing password spray and brute-force attacks to gain access to corporate vice president networks.
Password spray and brute force attacks are the same in that they both are attempting to gain access to unauthorized accounts to an online account by guessing a password or through automated systems. Although, password spray attacks will do multiple efforts to take those same passwords across the accounts continuously to evade defenses. In contrast, brute force attacks continuously aim for a single account with different types of password attempts.
Microsoft says that Nobelium’s latest attacks have been mostly not yet successful. Still, they know of three entities that were breached by Nobelium in the attacks.
Microsoft support tools accessed by hackers
During the research into the whole attacks, Microsoft also revealed an information-stealing trojan and law enforcement on one Microsoft customer support agent’s computer that provided access to “basic account information” for a limited number of customers.
Nobelium used the customer- data and information in aimed phishing attacks against Microsoft customers.
Microsoft reported the whole attacks after Reuters committed a constant contact email that is sent to the completely affected customers warning them that these dangerous heroes are gaining access to information about their Microsoft Services subscriptions.
Nobelium’s recent activity
The Nobelium hacking group, also named APT29, The Dukes, and cozy bear has been attributed to the latest SolarWinds supply system chain attack that compromised various American companies, including Microsoft, Cisco, Malwarebytes, FireEye, Mimecast, and many American government agencies.
As a part of the attacks, the danger heroes replaced real modules in the SolarWinds Orion IT monitoring platform that were completely distributed to the customers via the software’s normal automatic-update procedure. These malicious modules
allowed the threat actors to gain remote access to compromised devices or service providers, where further internal attacks could be launched.
In April, the American government officially accused the Russian government and hackers from the international Intelligence gathering efforts and Services, the SVR, of the attacks on Solarwinds and American interests.
More recently, Microsoft showed that the hackers’ group comprised the Constant Contact account for USAID, an American agency that is responsible for giving international aid, stealing data, and development- assistance.
Using all these marketing and account credentials, Nobelium organized aimed phishing attacks to distribute malware and access the internal networks.
Microsoft found that the Solar Winds attackers are quite busy hackers fulfilling a phishing campaign. Their latest victim is one kind of marketing campaign that the U.S. Agency for foreign Development – USAID uses. The result of these attacks is thousands of malicious files and emails sent out.
How Does the Latest Attack Work?
Hackers took the control of the Constant Contact email marketing owned by USAID and sent out mass email providers with a tainted link that, when clicked, infects the user’s device with a backdoor called “NativeZone.”
As of Tuesday, the campaign was still active. Microsoft didn’t say how many victims were completely affected by the malicious files and emails. They reported in their report that almost 3,000 victims were targeted from 150 companies. Most of the attacks occurred within the U.S. but also affected 20 other countries. The types of companies that received these constant contact Constant contact email services were in the international development, humanitarian and human rights work sectors. Multiple efforts between the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) reassure the public that most of the earlier emails would have not been enabled by security software like- antivirus or anti-malware programs before they reach out to the victims.