SolarWinds Hackers Still Targeting Microsoft, Focus on Support Staff

Dealing with cybersecurity is an ongoing battle of wits and skills that often leaves IT professionals feeling like they are barely holding back the never-ending attacks of a giant whack-a-mole defensive game of chance.

Take the case of Microsoft and the infamous SolarWinds supply chain hack that was first reported last December. Its ramifications are still not fully known, while the potential damage continues to fester in hundreds of compromised business and government networks.

SolarWinds is a major U.S. information technology firm whose computer network was breached in a series of cyberattacks that spread to its clients and went undetected for months. Microsoft recently disclosed that it, too, was no doubt a victim of the same Russian-based hacker gang responsible for the SolarWinds onslaught.

As some of the details surrounding the cyberattack become known, the bleak disclosures might justifiably cause a sniffled gasp, indicating that if Microsoft can be breached, what hope is left for everyone else?

Microsoft admitted that in late May, an attacker believed to be involved with Nobelium phished one of its customer service agents to steal information and then used it to launch hacking attempts against customers. Microsoft said it discovered the compromise during its response to hacks by a team responsible for earlier major breaches at SolarWinds and Microsoft.

Ironically, the nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer.

In follow-up statements about the ongoing struggles with cybersecurity, Microsoft president Brad Smith called SolarWinds “the largest and most sophisticated attack the world has ever seen,” according to published reports. The attack campaign had more than a thousand hackers behind it.

Former SolarWinds CEO Kevin Thompson offered that the successful breach could have resulted from an intern who created “‘solarwinds123” as a password and then shared that password on GitHub.

Of course, that is how phishing attacks are supposed to work. Attackers disperse their tactics and hope to have them remain secret for as long as possible. Usually, large-scale attacks like SolarWinds are fought on multiple attack vectors.

“We are entering the low-intensity, high-impact cyberwarfare age. Over the last two decades, adversaries have developed sophisticated capabilities to launch and deliver cyber weapons across nation-states and industries, but attackers can now use the new hyper-connected world in their favor,” Om Moolchandani, CISO of Accurics, told TechNewsWorld.

Urban Warfare Gone Digital

He noted that cyberattackers no longer need to craft extremely sophisticated attack vectors. They can use existing connectivity to penetrate victims. He likened cyberattackers’ new doctrine to today’s physical warfare strategies. The intensity is low, and attacks are confined, but the impacts are extremely high.

“Adversaries blend and hide between non-combatants in urban warfare, just as cyberattackers are now using customer support staff to hide their tactics,” Moolchandani observed.

Microsoft’s Threat Intelligence Center on June 25 reported that Nobelium launched new attack activity that includes password spray and brute-force attacks. But those tactics have been largely unsuccessful, according to Microsoft.

If Nobelium’s attack on Microsoft’s infrastructure was “mostly unsuccessful,” then we can presume that it was “partially successful,” countered Neil Jones, cybersecurity evangelist at Egnyte.

“This is a classic example of the continual need to harden your passwords, deploy effective multi-factor authentication (MFA) techniques, and maximize password management techniques,” he told TechNewsWorld.

Those requirements are mission-critical for systems that are used to interact with your clients and to collect their data, he added.

“The most recent attack is also a stark reminder that you need to make data governance a board-level priority if you haven’t done so already,” said Jones.

More Details Emerge

The Threat Center’s investigation also detected information-stealing malware on a machine belonging to one of Microsoft’s customer support agents, who had access to basic account information for a small number of our customers, according to the Center’s June 25 report.

“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access, and secured the device,” noted the report.

Microsoft’s support agents are configured with the minimal set of permissions required as part of the company’s zero trust “least privileged access” approach to customer information, the statement explained.

That information reinforces the importance of best practice security precautions such as zero-trust architecture and multi-factor authentication in continuing to prevent network intrusions, according to Microsoft.

“Since the malicious actor was already launching precision attacks on customers whose information was compromised, this indicates that attacking support agents were likely part of the campaign with a larger mission,” added Moolchandani.

Attacker Intentions

The stolen information could possibly disclose customer patterns for usage, logging, or subjects of the service provided by the IT service provider or other relevant data that can be used to spoof a victim’s ID, noted Moolchandani.

“Support agents require customer secrets in order to identify them. If stolen, this information can be used by adversaries for spoofing victim email IDs and gaining access to corporate accounts,” he explained.

Attackers target IT companies because they want to gain access to their end targets using supply chain mechanisms. Most IT companies provide backbone services to large enterprises, businesses, governments, and industries.

“IT companies focus heavily on customer success and require sensitive information, privileges, and access to deliver these services. They have a lot of juicy information that is attractive to adversaries, and any lack of cybersecurity best practices such as zero trust, hardening, or multi-factor authentication can result in the compromise of customer data,” Moolchandani said.

Support Agents Key Targets

Attackers are constantly looking for low-cost options to complete their missions. It is easier and more cost-effective for them to target support agents working for smaller IT companies providing support services for large enterprises than it is to target those large organizations directly, according to Moolchandani.

“Support staff usually are provided with minimal access to systems for their needs, but organizations are still working hard to roll out cybersecurity awareness at rank-and-file levels, and that maturity still has to hit the point where every employee is aware of the risks. This is the weakness that attackers want to exploit,” he explained.

The latest disclosures illustrate that simply adding password protection controls is not enough. Near real-time monitoring of the complex behavior of credentials and entitlements is equally important and mandatory for response teams as those preventative controls will always fail, warned Ralph Pisani, president of Exabeam.

“Despite Nobelium being well-known among the security community due to the SolarWinds attack and other past successes, they continue to develop new footholds and do not appear to be going away anytime soon,” he told TechNewsWorld.

Better Plans Needed

During this instance with Microsoft, the adversaries were able to use the infected machine to gather more context about customers. This information allowed the adversaries to create highly targeted phishing emails about their accounts and payments to gain more access and credentials, noted Pisani.

“As part of the intrusion set, Microsoft witnessed both password spray and brute-force attacks on accounts and customers. We must embrace the idea that identity is the new perimeter. We know that a compromised employee played a role in this most recent incident,” he added.

Security teams have seen cyber enemies play the same game repeatedly. So, defense starts with detection, triage, investigation, and response, Pisani urged.

“While there is increasing focus on addressing the two ends of detection and response, most companies struggle or overlook the middle pieces without realizing the smokescreen this provides for attackers,” Pisani cautioned.

He urged Security Operations Center teams to take a more comprehensive outcomes-based approach to security. Beyond passwords, protecting the identities of your employees, customers, partners, and anyone inside your IT systems is a critical outcome.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels