SolarWinds Hackers Target Microsoft Customers with Latest Attacks

The SolarWinds hackers have struck again, targeting Microsoft customers with some of them successfully compromised.

That’s according to the Microsoft Threat Intelligence Center. It’s tracking new activity from the Nobelium. It originates from Russia and is the same group that carried out attacks on SolarWinds customers in 2020.

Last month, Nobelium targeted about 3,000 email accounts at more than 150 different organizations. Organizations in the United States were victims of the largest share of attacks, but the malfeasance spanned at least 24 countries.

“Our investigation into the methods and tactics being used continues, but we have seen password spray and brute-force attacks, and want to share some details to help our customers and communities protect themselves,” Microsoft said a blog.

The hackers were mostly unsuccessful, Microsoft said. It so far is aware of three compromised entities.

“All customers that were compromised or targeted are being contacted through our nation-state notification process,” it said.

This type of activity is not new, Microsoft said. It recommends everyone take security precautions to protect their environments from this and similar attacks. These security precautions include zero-trust architecture and multifactor authentication (MFA).

This attack is unrelated to the previous Sunburst attack on SolarWinds.

“The latest cyberattack reported by Microsoft does not involve our company or our customers in any way,” a SolarWinds spokesperson said.

SolarWinds Hackers Target Specific Customers

The SolarWinds hackers targeted specific customers. Those include IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.

The attacks largely focused on U.S interests, with about 45%. The United Kingdom followed with 10%, and smaller numbers from Germany and Canada. In all, the hackers targeted 36 countries.

“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft said. “The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device.”

The investigation is ongoing, Microsoft said.

Low-Intensity, High-Impact Warfare

Om Moolchandani is CISO of Accurics. He said we’re entering the “low-intensity, high-impact cyber warfare age.”

“Over the last two decades, adversaries have developed sophisticated capabilities to launch and deliver cyber weapons across nation-states and industries,” he said. “But attackers can now use the new hyperconnected world in their favor. They no longer need to craft extremely sophisticated attack vectors. They can use existing connectivity to penetrate victims. That is the new doctrine, and it’s very similar to what we observe in today’s physical warfare strategies. The intensity is low, and attacks are confined, but the impacts are extremely high. Adversaries blend and hide between non-combatants in urban warfare, just as cyberattackers are now using customer support staff to hide their tactics.”

The stolen information could possibly disclose customer patterns for usage, logging, or subjects of the service provided by the IT service provider, Moolchandani said. Morever, hackers could use relevant data to spoof a victim’s ID.

Support agents require customer secrets in order to identify them, he said. Hackers could use this information to spoof victim email IDs and gain access to corporate accounts.

Low-Cost Options for Hacking

Attackers are constantly looking for low-cost options for completing their missions, Moolchandani said.

“It’s easier and more cost effective for them to target support agents working for smaller IT companies providing support services for large enterprises than it is to target those large organizations directly,” he said. “Support staff usually are provided with minimal access to systems for their needs. But organizations are still working hard to roll out cybersecurity awareness at rank-and-file levels, and that maturity still has to hit the point where every employee is aware of the risks. This is the weakness that attackers want to exploit.”