Microsoft has issued an alert to expose a targeted spear-phishing campaign launched by Russian hackers behind the SolarWinds hacking campaign to target more than 150 different organisations across sectors and conduct data exfiltration or additional malware deployment.
The targeted spear-phishing campaign, conducted by NOBELIUM, the hacker group behind the SolarWinds hacking campaign, was first detected in late January and since then, the hackers have used a variety of tools and techniques to make organisations click on malicious links and enable the deployment of malware into their networks.
According to the Microsoft Threat Intelligence Center (MSTIC), the spear-phishing campaign has so far targeted approximately 3,000 individual accounts across more than 150 organisations. The hackers have been found employing “an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.”
Spear-phishing emails delivered by NOBELIUM initially leveraged the Google Firebase platform to stage an ISO file containing malicious content. The hacker group sent only the tracking portion of the email to record attributes of those who accessed the URL and these emails did not contain any malicious payloads. The group soon changed its tactic and started using an HTML file attached to a spear-phishing email to compromise targeted systems.
From April onwards, NOBELIUM stopped using Firebase, began encoding the ISO within the HTML document, and used it to store target host details on a remote server via the use of the api.ipify.org service. The group kept using different techniques, such as dropping a custom .NET first-stage implant that reported host-based reconnaissance data to, and downloaded additional payloads from, the Dropbox cloud storage platform.
The most significant stage of the spear-phishing campaign took place on May 25 when NOBELIUM used the legitimate mass mailing service Constant Contact to send spear-phishing emails to around 3,000 individual accounts across more than 150 organisations, with the emails appearing to originate from USAID firstname.lastname@example.org and the sender email address matching the standard Constant Contact service.
“The successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised systems. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware,” wrote Microsoft vice-president Tom Burt in a blog post.
“Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place,” he added.
According to Microsoft, organisations can reduce the impact of this threat by turning on cloud-delivered protection in Microsoft Defender Antivirus or other antivirus products, run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, enable network protection to prevent applications or users from accessing malicious domains, enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, use device discovery to increase network visibility, and enable multifactor authentication (MFA) to mitigate compromised credentials.
Sam Curry, chief security officer at Cybereason, says that with hackers targeting the networks of a large number of public and private sector organisations with spear-phishing emails, it’s long past time for organisations to do more than the minimum to stop material losses and the daily headlines of mayhem. It’s time to tighten up and get the security practices right; least privilege, resilience, planning for the worst and a detection mindset.
“Today, the asymmetry in cyber conflict favours attackers and, so far, the attackers are getting more effective at a faster rate than defenders are. This is not cause for despair, but it is a wake-up call for innovation and to find new methods of working together and of countering them. There is a call to arms to all of us to protect the connected world and to reverse this trend. There are ways to be safe and to boost our mutual protection, but simply doing more of the same is a recipe for disaster.
“No one should lose sight of the fact that threat groups are oftentimes large organisations numbering in the hundreds of people with support networks, investors, partners, labs, cloud operations and more. This isn’t 5 guys and a coffee machine. Imagine a modern, lean, entrepreneurial Silicon Valley organisation. Now move it to Russia, China, North Korea or Iran and give it protection from the state and unleash it to make money, perform espionage, conduct operations and more with no holds barred,” Curry adds.