At least 14 cloud service providers and resellers of technology products have been compromised since May by the Nobelium threat group, which according to U.S. intelligence is part of Russia’s foreign intelligence service.
Microsoft said these providers are part of a group of more than 140 resellers and technology service providers it has notified in the last five months that they are being targeted by Nobelium
In a blog this weekend Microsoft said Nobelium — blamed for the compromise of Solarwinds’ Orion update mechanism — has been attempting to replicate the tactics it used in past attacks by targeting organizations central to the global IT supply chain.
This time, Microsoft said, Nobelium is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to their customers’ IT systems to gain access to their downstream customers.”
These attacks have been a part of a larger wave of Nobelium activities this summer, Microsoft said. Between July 1 and October 19 it warned 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1st it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” says Microsoft.
Technical guidance released
In addition to the report, Microsoft released this technical guidance for resellers, cloud providers and IT teams to blunt Nobelium attacks.
- Ensure multifactor authentication (MFA) is in use and conditional access policies are enforced: All Microsoft partners are required to use MFA to access Partner Center and for cross-tenant access to customer tenants in Microsoft commercial clouds. Partners are advised to check their security compliance in Partner Center and monitor if any user logins or API calls are not compliant with MFA enforcement. Partners should stay compliant at all times.
- Adopt the Secure Application Model Framework: All partners integrating with Partner Center APIs must adopt the Secure Application Model framework for any app and user auth model applications.
- Check the Partner Center Activity Logs: partners are advised to regularly check the “Activity Log” in Partner Center to monitor any user activities, including high privileged user creations, high privileged user role assignment, etc. Partners can also use Partner Center Activity Log APIs to create a custom security dashboard on key user activities in Partner Center to proactively detect suspicious activities.
Remove delegated administrative privileges (DAP) connection when not in use
To improve security, Microsoft recommends that partners remove delegated administrative privileges that are no longer in use. Starting in November, a new reporting tool will be available that identifies and displays all active delegated administrative privilege connections and will help organizations to discover unused delegated administrative privileges connections. This tool will provide reporting that captures how partner agents are accessing customer tenants through those privileges and will allow partners to remove the connection when not in use.
- Microsoft is offering service providers a free two year subscription of Azure Active Directory Premium Plan 2 to further help them manage and get reports on access privileges. Registered partners can log onto Partner Center to take advantage of this offer. Azure AD Premium Plan 2 provides extended access to sign-in logs and premium features such as Azure AD Privileged Identity Management (PIM) and risk-based Conditional Access capabilities to strengthen security controls.
3. Conduct a thorough investigation and comprehensive response.
Carry out additional investigations if partners think they might have been affected, to determine the full scope of compromised users/assets. Microsoft recommends the following:
- Review the Azure AD Security Operations Guide to audit or establish their security operations. A cloud service provider or an organization that relies on elevated privileges needs to assess the security implications in their network and its connectivity for their customers. In particular, review authentications that are associated with Azure AD configuration changes using the Microsoft 365 compliance center (formerly in the Exchange admin center) or Azure AD admin logs.
- Adequate log retention procedures for cloud-based resources are critical to effectively identify, respond to, and remediate malicious activity. Cloud service providers and other technology organizations often configure individual subscriptions to meet specific customer requirements. These configurations might not include security controls that enable full accountability to administrative actions should an incident occur. Microsoft encourages all organizations to become familiar with logs made available within their subscription and routinely evaluate them for adequacy and anomalies.
- General Incident response playbooks for Phishing and Password spray are available in Microsoft Security Best Practices.