Recent nation state attacks are proving that compromising a company through vendor relationships is the new normal.
Background
Microsoft recently released an advisory documenting a Russian nation state threat actor they track as Nobelium.
Nobelium has been tied to Russian Foreign Intelligence Service (SVR), and are most recently notable for being behind the SolarWinds attack that subseqently compromised tens of thousands of downstream customer environments.
This latest development indicates that nation state threat actors are ramping up their supply chain attacks after recent successes in leveraging FireEye, SolarWinds, and Kaseya products.
Threat details
Since May, Microsoft has discovered more than 140 attempts to compromise service providers and technology resellers, further identifying 14 compromised environments.
The goal is to compromise the vendor, then piggyback off customer relationships to further compromise customer environments where the vendor has elevated privileges.
The techniques used by the threat actors were not novel or complex; Microsoft documented phishing attacks and password sprays. What is novel is the complicated way that the attackers are chaining together vendor compromises to attack different aspects of the customer network.
In one example, Nobelium threat actors compromised the access of 4 separate vendors to subsequently compromise multiple aspects of the target customer environment.
There were additional observations of the Nobelium techniques used:
- Leveraging anonymous network infrastructure, such as proxies and TOR.
- Utilizing scripted tools to enumerate Azure AD environments.
- Modifying Azure AD to enable long-term persistence
- Regularly seen compromising Domain Admin accounts.
In one instance, they found threat actors utilizing Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO) to elevate privileges.
Hunting and Detection
In the Microsoft Technical Guidance article on Nobelium, they provide several examples of detection and hunting queries which can be using with Azure Sentinel, Microsoft 365 Defender, and Microsoft Cloud App Security, among others.
Please review the links in the Resources section below, or in the Microsoft Technical Guidance article for more detail.
Mitigation
Review of the Microsoft Advisory is highly recommended, as well as the technical guidance documentation from Microsoft. The technical guidance has additional advice dedicated to service providers and downstream clients.
For Azure-specific environments, the technical guidance has additional auditing and hardening techniques, including:
- How and where to enable Multi-factor Authentication (MFA)
- Auditing user privileges and removing outdated access
- Creating conditional access policies to limit access
- How to review audit logs for suspicious activity.
It includes Azure Sentinel detections and hunting queries, linked below.
It is critical that vendors and service providers’ access be limited based on actual need. A zero trust model is recommended in regard to vendor access, including access supplied to Novacoast.
Apply MFA where possible and enforce strict password requirements following modern best practices. Restrict API access to only allow what is specifically needed by you or your vendors’ automated tools. Prune access when it is no longer needed.
Whether you are the vendor or the client, it is recommended that your level of access be audited to minimize the footprint of the vendor within the customer environment. Vendor relationships and access should continually be audited and well documented, such as in a Configuration Management Database (CMDB).
To prevent compromise through phishing campaigns, regular training is recommended. If feasible, implement regular phishing simulations to help develop staff awareness of phishing threats. Require additional training if a user fails a phishing simulation, or is found storing credentials in an insecure manner.
Microsoft noted that a common post-compromise tactic was reconnissance and data exfiltration. Monitoring tools and Data Loss Prevention can help limit the post-compromise activity by the threat actor.
Resources
Microsoft Nobellium Advisory
https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/
From Microsoft Nobellium Technical Guidance:
https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
Azure Sentinel Detections:
- Azure VM Run Command operations executing a unique PowerShell script
- Azure VM Run Command operation executed during suspicious login window
- Azure Portal Sign-in from another Azure Tenant
Hunting Queries:
