SolarWinds attacker targets cloud service providers in new supply-chain threat

Nobelium, the Russia-based threat actor behind the supply chain attack on SolarWinds, is targeting cloud service providers and IT services organizations in a large-scale and ongoing campaign designed to infiltrate systems belonging to downstream customers of these companies.

Since May, Nobelium has attacked at least 140 cloud service providers and compromised 14 of them, according to Microsoft, which has been tracking the campaign.

Once on a service provider’s network, Nobelium has been targeting the privileged accounts that providers use to access and manage networks belonging to their downstream customers. It has used several tactics, including password spraying, phishing, token theft, and API abuse, to steal legitimate credentials for these accounts. The attackers have then used the privileged accounts to gain a foothold on systems belonging to targeted downstream customers of the service provider. Victims have included enterprise organizations, technology vendors, government entities, and think tanks, Microsoft says. Most of the organizations that have been targeted are based in the United States or countries across Europe.

The attacks on service providers — and resulting compromises — are not the result of product security vulnerabilities. Rather, they are the result of Nobelium actors taking advantage of any direct access that Internet and cloud service providers have to their customer systems, said Tom Burt, corporate vice president of customer security and trust at Microsoft, in a blog posted Sunday.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt wrote.

This latest Nobelium campaign is an example of attackers’ growing focus on targets that provide them with means to compromise multiple organizations at the same time without having to break into each one separately. Examples of such targets include cloud service providers, managed service providers, software vendors, and other trusted entities in the technology supply chain, many of which have privileged access rights on networks belonging to their customers.

In the SolarWinds campaign, Nobelium broke into the company’s software build environment and used its access to quietly embed malicious code into legitimate updates of SolarWinds’ Orion network management product. That single intrusion gave the attacker a way to distribute malware to thousands of organizations, though it was interested in stealing data from only a small subset.

“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” Burt said.

In July, threat group REvil used a similar tactic by targeting a Kaseya server technology — which many managed service providers use — to distribute ransomware to thousands of their downstream customers.

For enterprise organizations, the main takeaway from such attacks is that supply chain threats extend well beyond just software vendors, says Jake Williams, co-founder and CTO at BreachQuest. IT service providers often have relatively poor security themselves while simultaneously having access to numerous customer networks, he adds.

To read the complete article, visit Dark Reading.