Tom Burt (Microsoft)
Microsoft has warned channel partners about fresh supply chain attack activity by the Russian nation-state actor known as Nobelium, laying out a number of steps IT providers can take to mitigate the threat.
Nobelium – the name Microsoft has attributed to the group – is the same threat actor behind the cyber attacks that targeted SolarWinds customers in 2020 and which, according to Microsoft, the US government and others have identified as being part of Russia’s foreign intelligence service.
Nobelium, also known in the security industry as APT29 or Cozy Bear, has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain, according to Microsoft.
Microsoft customer security and trust corporate vice president Tom Burt claims that, this time, the threat group is attacking a different part of the supply chain, specifically focusing on resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers,” Burt said in a blog post.
“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium.
“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful,” he added.
It seems that the attacks Microsoft has observed in the recent campaign against resellers and service providers have not attempted to exploit any particular flaw or vulnerability in software, but rather have used well-known techniques like password spray and phishing to steal legitimate credentials and gain privileged access.
“We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach,” Burt said.
Indeed, the Microsoft Partner Network team has produced guidance to help partners protect themselves and their customers from potential attack by the group, noting that the attacks highlight the need for administrators to adopt strict account security practices and take additional measures to secure their environments.
The vendor suggests that cloud service providers (CSP), managed service providers (MSP) and other IT services organisations that rely on delegated administrative privileges should review the guidance and implement the recommended mitigations immediately.
Here are the three steps Microsoft recommends that partners take:
1. Verify and monitor compliance with Microsoft Partner Centre security requirements
All Microsoft partners should review and verify overall compliance status with the partner security requirements through the Microsoft Partner Centre.
Microsoft recommends that partners ensure multifactor authentication (MFA) is in use and conditional access policies are enforced; all Microsoft partners are required to use MFA to access Partner Centre and for cross-tenant access to customer tenants in Microsoft commercial clouds.
Partners are also advised to check their security compliance in Partner Centre and monitor if any user logins or API calls are not compliant with MFA enforcement. Additionally, partners should make sure they are compliant at all times.
Moreover, Microsoft recommends partners adopt the Secure Application Model Framework – all partners integrating with Partner Centre APIs must adopt the Secure Application Model framework for any app and user auth model applications.
Read more on the next page...
