Microsoft issued a warning over a “sophisticated” ongoing cyberattack supposed to be from the same Russia-linked hackers behind the SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components.
An Email-Based Attack from NOBELIUM
“The attack appears to be targeting government agencies, think tanks, consultants, and NGOs. In total, around 3,000 email accounts are believed to have been targeted across 150 organizations. Victims are spread across upward of 24 countries, but the majority are believed to be in the US”, says Tom Burt, Microsoft’s Corporate Vice President for customer security and trust.
The hackers from a threat actor called ‘Nobelium’ were able to compromise the US Agency for International Development’s account on a marketing service called Constant Contact, allowing them to send authentic-looking phishing emails.
NOBELIUM in the past has targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.
This email campaign leverages the legitimate service Constant Contact to send malicious links that were hidden behind the mailing service’s URL.
Because of the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam.
Nevertheless, some automated threat detection systems might have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or before detections being in place.
The screenshot given below explains one of the phishing emails, which contain a link to “Documents on Election Fraud” from Donald Trump. Upon clicking this link would install a backdoor that let the attackers steal data or infect other computers on the same network.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
- Enable multifactor authentication (MFA) to mitigate compromised credentials.
- For Office 365 users, see multifactor authentication support.
- For Consumer and Personal email accounts, see how to use two-step verification.
- Turn on the following attack surface reduction rule to block or audit activity associated with this threat.
Security researchers from Microsoft evaluate that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. Predictably, further actions may be carried out by the group using a developing set of tactics.
Microsoft ensures to examine this threat actor’s evolving activities and will update as necessary. Microsoft 365 Defender delivers coordinated defence against this threat. Microsoft Defender for Office 365 detects malicious emails, and Microsoft Defender for Endpoints detects malware and malicious behaviours.