Another Nobelium Cyberattack (Solar Winds attack group)

hawki · May 28, 2021

"Russia Appears to Carry Out Hack Through System Used by U.S. Aid Agency

Microsoft reported that it had detected the intrusion and that the same hackers behind the earlier SolarWinds attack were responsible...

Hackers linked to Russia’s main intelligence agency surreptitiously seized an email system used by the State Department’s international aid agency to burrow into the computer networks of human rights groups and other organizations...

The newly disclosed attack was also particularly bold: By breaching the systems of a supplier used by the federal government, the hackers sent out genuine-looking emails to more than 3,000 accounts across more than 150 organizations that regularly receive communications from the United States Agency for International Development. Those emails went out as recently as this week, and Microsoft said it believes the attacks are ongoing...

The email was implanted with code that would give the hackers unlimited access to the computer systems of the recipients, from 'stealing data to infecting other computers on a network,'Tom Burt, a Microsoft vice president, wrote on Thursday night...

Microsoft noted that the attack differed “significantly” from the SolarWinds hack, using new tools and tradecraft in an apparent effort to avoid detection...

It said that the attack was still in progress and that the hackers were continuing to send spearphishing emails, with increasing speed and scope...

...the Russians got into the Agency for International Development email system by routing around the agency and going directly after its software suppliers. Constant Contact manages mass emails and other communications on the aid agency’s behalf...

'Nobelium launched this week’s attacks by gaining access to the Constant Contact account of U.S.A.I.D.,'Mr. Burt of Microsoft wrote..."
Click to expand...

https://www.nytimes.com/2021/05/28/us/politics/russia-hack-usaid.html

https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/

hawki · May 29, 2021

"Microsoft: Russian hackers used 4 new malware in USAID phishing...

In a second blog post released Friday night, Microsoft provides details on four new malware families used by Nobelium in these recent attacks.

The four new families include an HTML attachment named 'EnvyScout', a downloader known as 'BoomBox,' a loader known as 'NativeZone', and a shellcode downloader and launcher named 'VaporRage'...:

https://www.bleepingcomputer.com/ne...hackers-used-4-new-malware-in-usaid-phishing/

hawki · Jun 1, 2021

"Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks...

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures..."

https://www.justice.gov/opa/pr/just...d-seizure-domain-names-used-furtherance-spear

guest · Jun 26, 2021

Nobelium hackers accessed Microsoft customer support tools
June 26, 2021
https://www.bleepingcomputer.com/ne...rs-accessed-microsoft-customer-support-tools/

Microsoft says they have discovered new attacks conducted by the Russian state-sponsored Nobelium hacking group, including a hacked Microsoft support agent's computer that exposed customer's subscription information.

Nobelium is Microsoft's name for a state-sponsored hacking group believed to be operating out of Russia responsible for the SolarWinds supply-chain attacks.
In a new blog post published Friday night, Microsoft states that the hacking group has been conducting password spray and brute-force attacks to gain access to corporate networks.
Click to expand...

Microsoft says that Nobelium's recent attacks have been mostly unsuccessful. However, they know of three entities that were breached by Nobelium in these attacks.

"This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services," Microsoft said in a blog post about the attacks.
Click to expand...

guest · Jul 2, 2021

SolarWinds hackers remained hidden in Denmark’s central bank for months
June 30, 2021
https://securityaffairs.co/wordpres...denmarks-central-bank-solarwinds-hackers.html

Russia-linked threat actors infected the systems of Denmark’s central bank (Danmarks Nationalbank) and maintained access to its network for more than six months.

The security breach is the result of the SolarWinds supply chain attack that was carried out by the Nobelium APT group (aka APT29, Cozy Bear, and The Dukes).
The intrusion was revealed by the technology outlet Version2, which obtained official documents from the Danish central bank through a freedom of information request.

“Some of the world’s most sophisticated hackers have had an IT backdoor at Danmarks Nationalbank for seven months. Danmarks Nationalbank itself cannot rule out that the suspected Russian state hackers have abused the back door to further compromise Danmarks Nationalbank.” states Version2.
Click to expand...

guest · Sep 29, 2021

Microsoft warns of Nobelium hackers using FoggyWeb backdoor
September 28, 2021
https://www.hackread.com/microsoft-nobelium-hackers-foggyweb-backdoor/

According to Microsoft, the notorious attacker group Nobelium is using a never-before-seen post-exploitation backdoor that can steal sensitive data from a compromised AD FS (Active Directory Federation Services) server.

FoggyWeb backdoor is a highly pervasive and targeted backdoor capable of remotely exfiltrating sensitive data, receiving malicious commands from the attacker-controlled C2 server, and executing those on the victim’s server.

“Nobelium uses FoggyWeb backdoor to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” wrote Ramin Nafisi from MSTIC.
Further, the backdoor abuses the Security Assertion Markup Language token, which helps users authenticate to applications quickly.
Click to expand...

guest · Oct 1, 2021

New Tomiris backdoor likely developed by SolarWinds hackers
September 29, 2021
https://www.bleepingcomputer.com/ne...kdoor-likely-developed-by-solarwinds-hackers/

Kaspersky security researchers have discovered a new backdoor likely developed by the Nobelium hacking group behind last year's SolarWinds supply chain attack.

This comes on the heels of another report published by Microsoft two days ago detailing FoggyWeb, a "passive and highly targeted" backdoor developed and used by the same group to exfiltrate sensitive information from compromised AD FS servers remotely.
Click to expand...

The new malware found by Kaspersky, dubbed Tomiris, was first spotted in June even though the first samples were deployed in the wild in February 2021, one month before the "sophisticated second-stage backdoor" Sunshuttle was found by FireEye and linked to Nobelium.

Their victims were redirected to webmail login pages that helped the attackers to steal their email credentials and, in some cases, prompted them to install a malicious software update that instead downloaded the previously unknown Tomiris backdoor.

"During these time frames, the authoritative DNS servers for the zones above were switched to attacker-controlled resolvers. These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations," Kaspersky said.
Click to expand...

guest · Oct 25, 2021

Microsoft Warns of Continued Supply-Chain Attacks by the Nobelium Hacker Group
October 25, 2021
https://thehackernews.com/2021/10/microsoft-warns-of-continued-supply.html

Nobelium, the threat actor behind the SolarWinds compromise in December 2020, has been behind a new wave of attacks that compromised 14 downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations, illustrating the adversary's continuing interest in targeting the supply chain via the "compromise-one-to-compromise-many" approach.

Microsoft, which disclosed details of the campaign on Monday, said it notified more than 140 resellers and technology service providers since May. Between July 1 and October 19, 2021, Nobelium is said to have singled out 609 customers, who were collectively attacked a grand total of 22,868 times.

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government," said Tom Burt, Microsoft's corporate vice president of customer security and trust.
Click to expand...

Log in or Sign up

Another Nobelium Cyberattack (Solar Winds attack group)

hawki Registered Member

hawki Registered Member

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Another Nobelium Cyberattack (Solar Winds attack group)

hawki Registered Member

hawki Registered Member

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches