Another SolarWinds attack and what you should know about it
In a matter of months, we have yet another serious SolarWinds attack to deal with. What do we know about it? Are you at risk?
Microsoft recently announced that the hackers behind the SolarWinds attack, Nobelium, initiated supply chain attacks. This time around, the threat actors targeted both IT services and cloud services providers on a large scale.
According to Microsoft, Nobelium attacked over 140 cloud service providers and managed to compromise as much as 14 of them. This current malicious campaign attempts to infiltrate a system that belongs to downstream customers.
Microsoft’s security researchers also stated that they observed 22,868 Nobelium attacks on companies in the US and around the world between July 1st and mid-October this year. Microsoft has since informed 609 customers that they were targets of these attacks.
What’s the latest SolarWinds cyber attack about?
Nobelium hackers tried to infiltrate systems to target privileged accounts. These were accounts that leveraged the services of IT services providers to better manage the networks of downstream customers.
Key tactics in their arsenal include:
- API abuse
- Password spraying
- Phishing campaigns
- Token theft
The aim is to try different approaches to steal legitimate access credentials to these accounts. Once they achieve their goal, the next step is to gain a foothold on downstream customers across North America and Europe. These include government agencies, enterprises, think tanks, and even technology vendors.
Security breaches, in this case, didn’t come down to product security vulnerabilities. Instead, threat actors took advantage of protocols that enable direct access to customer systems. Thereat actors are essentially trying to piggyback on direct access that resellers typically have to customer IT systems to impersonate their trusted partners.
How was this cyber attack different?
Unlike cyber attacks in the past, this latest Nobelium hacking campaign shows that threat actors have changed their focus to compromising multiple organizations at once instead of targeting each one separately.
Previously, Nobelium managed to surreptitiously embed malicious code into legitimate SolarWinds updates for their Orion network management product. In this scenario, hackers were able to distribute malware to thousands of organizations across the world with a single intrusion.
This new SolarWinds campaign is similar to the REvil group’s cyber attack last July, targeting a Kaseya server technology. Although thousands of companies ended up with malicious code in their systems, the end goal here was to steal data from a handful of businesses.
According to Mateo Meier, founder, and CEO of Artmotion, “cybersecurity is an endless game of cat and mouse. As such, we at Artmotion take a proactive approach to security. This includes keeping up with the latest security trends, engaging in comprehensive security audits, enforcing robust encryption, and leveraging the expertise of ethical hackers to fortify our cloud infrastructure. Our customers have nothing to worry about when it comes to this new Nobelium campaign or others because we always take care of it.”
This latest SolarWinds hack also reaffirms the importance of fully remediating after security events. Unfortunately, many organizations failed to fully remediate enabling network access to hackers after the remediation was considered complete.
If your cloud services provider hasn’t already removed connections with delegated access privileges when customer networks aren’t in use, ask them to do it immediately. Also, make sure that they review and audit security protocols and initiate an investigation to find out if they have been breached.
Take a proactive approach to cyber security by:
- Creating a culture of security within the organization
- Following best practices
- Enforcing multi-factor authentication (MFA)
- Enforcing conditional access policies
- Engaging ethical hackers
- Regularly auditing and reviewing logs and configurations