Almost exactly a year ago, security researchers discovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, From there, networks of 100 of its highest levels. -Customer profile, including nine US federal agencies.
Nobelium, the name Microsoft gave the intruders, was eventually kicked out, but the group never gave up and has arguably only become more brazen and adept at hacking a large number of targets in one fell swoop. The latest reminder of the group’s competence comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous exploits, and a few mistakes, as it continued to violate the nets of some of its higher value targets.
Abuse of trust
One of the things that made Nobelium so formidable was the creativity of its TTPs, hackers’ jargon for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into SolarWinds’ network and used the access and trust customers had in the company to send a malicious update to approximately 18,000 of its customers.
Almost instantly, hackers could hack into the networks of all those entities. It would be similar to a thief breaking into a locksmith’s premises and obtaining a master key that would unlock the doors of every building in the neighborhood, avoiding the hassle of having to pry each lock. Not only was Nobelium’s method scalable and efficient, it also made massive engagements much easier to hide.
The Mandiant report shows that Nobelium’s ingenuity has not wavered. Since last year, company researchers say that the two hacking groups linked to the SolarWinds attack, one called UNC3004 and the other UNC2652, have continued to come up with new ways to efficiently compromise large numbers of targets.
Rather than poisoning SolarWinds’ supply chain, the groups compromised the networks of Cloud Solution Providers and Managed Service Providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. Then the hackers found clever ways to use those compromised vendors to pry their customers.
“This intrusion activity reflects a well-resourced set of threat actors operating with a high level of concern for operational security,” Monday’s report said. “The abuse of a third party, in this case a CSP, can facilitate access to a wide range of potential victims through a single commitment.”
The advanced craft didn’t stop there. According to Mandiant, other advanced tactics and wits included:
- Use of stolen credentials by financially motivated hackers using malware such as Cryptbot, an information thief that collects credentials from systems and web browsers and cryptocurrency wallets. The assistance of these hackers allowed UNC3004 and UNC2652 to compromise targets even when not using a hacked service provider.
- Once hacker groups were within a network, they compromised company spam filters or other software with “application spoofing privileges,” which have the ability to access email or other. data types from any other account on the compromised network. Hacking this single account saved you the trouble of having to log into each account individually.
- The abuse of legitimate residential proxy services or geolocated cloud providers like Azure to connect to end goals. When administrators of the hacked companies reviewed the access logs, they saw connections coming from reputable local ISPs or cloud providers that were in the same geography as the companies. This helped disguise intrusions, as country-sponsored hackers frequently use dedicated IP addresses that raise suspicions.
- Smart ways to bypass security restrictions, such as mining virtual machines to determine the internal routing settings of the networks they wanted to hack.
- Gain access to an active directory stored in a target’s Azure account and use this all-powerful management tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what is known as Gold SAML, which is similar to a master key that unlocks all services that use the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
- Using a custom downloader called Ceeloader.