A surge in supply chain attacks linked to Nobelium

Russia’s national cyber campaign in progress, including a link to the Advanced Persistent Threat (APT) group that handed over SolarWinds almost a year ago Target cloud and managed service providers And with “first-class” trade crafts and operational security, it poses a living and dangerous threat.

It has been designated as UNC3004 and UNC2652, both of which appear to be associated, according to Mandiant’s threat researchers who tracked this activity and identified the two clusters. With SolarWinds torturers, UNC2452, Also known as nobelium, Although there is not enough evidence to confirm that this is the case.

“In most cases, post-infringement activities involved theft of data related to Russia’s interests,” the researchers said. Newly published disclosure notice..

“In some cases, data theft appears to have been taken primarily to create new routes to access the victim’s environment. The attacker is persistent to the victim’s environment. We continue to innovate and identify new technologies and tradecraft to maintain access, prevent detection, and disrupt attribution efforts. “

Mandiant researchers Luke Jenkins, Sarah Hawley, Parmian Najafi, and Doug Bienstock are typical examples of supplies where attackers use privileged access and credentials to move downstream and be compromised by third parties. We have discovered that you are breaching your target network through your IT service provider. Chain attack.

Also, at least one actor compromised a local VPN account, used it to perform reconnaissance, gained access to additional resources within the victim’s Cloud Service Provider (CSP) environment, and eventually compromised an internal domain account. We have identified two instances.

The team also identified a campaign in which an attacker used a stolen session token to access a targeted Microsoft 365 environment. Further analysis reveals that some of the targeted workstations are already infected with Cryptbot infostealer, and Mandiant estimates that the attacker probably obtained a session token. From the Cryptbot operator.

After accessing the service provider, the group developed several tactics and techniques when moving downstream to the intended target. More fully detailed on Mandiant’s blog..

However, of particular note are some methods of trying to circumvent the safeguards. This can be done by using stolen session cookies to identify CSP virtual machines (VMs) that are allowed to communicate with downstream customers, bypassing CSP and target security measures, or encoding in C. It includes deploying a new downloader called Ceeloader that supports shellcode. A fully obfuscated payload that runs in the memory of the target device.

The actor also localized the infrastructure so that it appeared to be geographically close to the victim’s environment. In other words, it’s not Russia. To do this, use the residential IP address range obtained through a residential and mobile IP address proxy provider to authenticate the victim’s network and over a connection from a legitimate Internet service provider (ISP). There are many ways to do this, such as pretending to be logged on. In the same country.

In another example, the attacker provisioned a system in Azure that was close to the legitimate CSP Azure host system used to access the customer environment, established geo-accessibility, and originated from the legitimate one. Recorded the source IP address of the activity. range.

The Mandiant team also discovered that the attackers were paying particular attention to their operational security. For example, use multiple compromised accounts and separate them by function (reconnaissance, lateral movement, data theft, etc.) to reduce the chances of a defender being warned. Suspicious activity. It has also been confirmed to bypass or remove the system logging feature.

“This intrusion activity reflects a well-resourced set of threat actors operating with a high level of concern about operational security,” the team said.

“Third-party (in this case CSP) abuse could facilitate access to a wide range of potential victims in a single breach. Mandiant now attributed this activity with greater confidence. Although not allowed, the operational security associated with this third party intrusion and abuse is consistent with the tactics adopted by the actors behind the SolarWinds breach, creating a relationship between third parties and trusted vendors. We emphasize the effectiveness of utilizing it. We perform illegal operations. “ A surge in supply chain attacks linked to Nobelium

Back to top button